The personal information of more than half a million Chicago Public Schools students and staff was leaked in a ransomware attack last December, although the breach wasn’t reported until April, officials said.
The district said on Friday that technology vendor Battelle for Kids notified CPS of the breach on April 25.
A server used to store student and staff information was breached, and four years’ worth of records were accessed, CPS said in a statement.
CPS said that 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years.
Student information involved in the breach included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments. Employee information included names, employee identification numbers, school and course information, emails and usernames.
“There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident,” CPS said.
CPS said there is no evidence the data has been misused, posted or distributed. It offered affected families a year of credit monitoring and identity theft protection.
The FBI and Department of Homeland Security both investigated the breach and the vendor is “monitoring and will continue to monitor the internet in case the data is posted or distributed,” CPS said.
The education sector in the US has experienced significant data breaches in recent months. In March, a widely used online grading and attendance system was hacked, causing what could be the largest ever exposure of students’ personal data in American history.
Cyber-criminals broke into the IT systems of Illuminate Education in January, gaining access to a database containing the personal data of around 820,000 current and former New York City public school students.