Over 700,000 current and former Chicago Public School students’ information was exposed following a data breach last month.
On Feb. 8, the district learned that student data had been leaked following a cyberattack by a Russian hacking group “Cl0p.” The information leaked included students’ names, dates of birth, gender, student identification numbers, Medicaid identification numbers and dates of eligibility for those enrolled in the federal program. CPS staff’s private information, however, was not compromised, according to the district. There is currently no evidence of misuse of information, according to CPS.
Social Security numbers, financial information, or health data was not leaked during the breach, according to an email sent to parents from the district. The release of Medicaid Recipient Identification Numbers cannot be used to gain students’ Social Security numbers, open bank accounts, credit lines or credit cards, CPS said in the email.
In the wake of the attack, parents and students might feel exposed or worried. Here’s a guide of possible problems and how families can protect themselves.
Identity theft is unlikely, a social engineering attack is a possibility.
While the information compromised can not be used for identity theft directly, University of Chicago professor Marshini Chetty, an expert in ed-tech privacy, said students’ compromised information can be used in other ways. One way is a social engineering attack.
With hackers having access to students’ Medicaid information, for example, Chetty said they can call parents or students at a later date, pretending to be from Medicaid and tricking individuals into sharing more personal information, such as their social security.
“If I have personal information about you, you’re more likely to believe something that I’m telling you,” Chetty said. “Then I could potentially get more information from you that would allow me to do identity theft or clinical theft and so on.”
This mainly happens at a later time when a parent may have forgotten about information being leaked, Chetty said, so it’s important to remain vigilant.
Still in the early days of the data leak, Chetty said there’s both a worst case scenario and best case scenario on how the situation may continue to unfold into the future.
In the best scenario, individuals’ data isn’t sold, and no further information is compromised.
In the worst case, leaked information is used in a future attack or sold by hackers in order to compromise more of an individual’s information. It’s hard to predict what may happen, Chetty said.
However, there are a few things parents can do to ensure their students are protected against any possible threats.
Change passwords
To follow standard good security practices, parents should ensure they’re using strong passwords and enable two-factor authentication, according to Chetty. Good cyber-security hygiene will prevent someone from compromising your account, even if they’re able to get ahold of your password.
“Because you can’t predict when that information will be exploited or exactly what it will be used for… then it’s hard to know what else you can do to safeguard yourself.”
Credit report or freeze
In December, PowerSchool, a cloud-based software provider for K-12 education, experienced a data breach that exposed the sensitive information of millions of students and teachers in districts both in the U.S. and Canada. The data leaked in this situation could be used for credit fraud, Chetty said.
In that situation, it was apparent victims of the attack needed to freeze their credit information immediately, but in a situation similar to CPS, where social security numbers were not compromised, it’s a little less clear, Chetty said.
“They could put this credit freeze on their children’s account,” Chetty said. “(It’s) more extreme but saying you don’t know when the information is going to be used, especially if you have a young child, like there’s no harm in putting the credit freeze on your child’s credit.”
In a letter to parents, CPS told families they can request a free credit report through annualcreditreport.com, to catch early signs of identity theft.
Data breaches are increasingly common. Remain vigilant
Data breaches of this magnitude have become more common in recent years, according to Chetty. School districts have become more of a target because they are large organizations that may not have the resources for IT staff to match their size that can ensure their network and software are secure.
“It’s not happening every day, but it is happening frequently enough that we hope CPS and other school districts are taking notes and trying to make sure that student data is kept safe,” Chetty said.
Ensuring that parents and students are practicing good security hygiene and checking that authorities asking for sensitive information are who they say they are is the best way for families to stay safe, Chetty said.
“Trying to be proactive and just taking those good security steps,” Chetty said. “That’s how you can walk the line and not overly panic, but make sure that you’re doing something.”
