Information from hundreds of thousands of current and former Chicago Public School students has been exposed following a data breach, according to district officials. In a letter to parents Friday, they said there was no evidence suggesting any information had been misused.
According to the school district, the breach did not include Social Security numbers, financial information or health data. The FBI and the Illinois attorney general are investigating the incident.
Late last year, an unauthorized third party carried out a cyberattack that accessed CPS data on a server owned by one of the school district’s technology vendors, Cleo, which is a file transfer software. On Feb. 8, CPS learned that student data had been accessed during the attack. Per the Student Online Personal Protection Act, the district had to notify affected parties within 30 days.
The information accessed included students’ names, dates of birth, gender, student identification numbers and even Medicaid identification numbers and dates of eligibility for those enrolled in the federal program. These Medicaid Recipient Identification Numbers cannot be used to obtain Social Security, open bank accounts, credit lines or credit cards.
While the investigation is ongoing, the school district believes all current students and former students dating back to the 2017-18 school year were affected. Staff data was not breached.
“CPS is deeply committed to the security of student information, and we expect the same level of care and commitment from our vendors,” said Norman Fleming, CPS chief information officer, in the letter to parents. “Please know that the protection of your child’s personal information is a top priority, and we sincerely regret any concern or inconvenience that this matter may cause you.”
The school district will update families on any additional steps and resources on its website at cps.edu/databreach.
