The CPS blame a third-party supplier for a data breach incident

June 22, 2022
CPS Chicago Public Schools Third-Party Risk Vendor Supplier Data Breach Cyberattack Incident Battle for Kids US

Chicago Public Schools (CPS) have published an advisory regarding a data breach of nearly half a million students from the educational institution, blaming the misactions of a third-party supplier which resulted in a ransomware attack.

The ransomware campaign has impacted the Ohio-based non-profit organisation called Battle for Kids. This single school system experienced a data exposure of approximately 50,000 staff records. The cybercriminals consistently deployed ransomware and took copies of databases or other data before the encryption process.

Most threat actors demand a ransom for a decryption key to retrieve the stolen data. However, if the victims refuse to pay for the ransom demand, the threat actors will likely dump the stolen data online and be accessible to the public.

 

The breach occurred in December last year. However, the third-party supplier notified CPS of the problem last April after confirming the breach through a separate researcher.

 

In the Chicago Public School’s case, the malicious actors hacked into a server that kept the assessment data used for teacher evaluation and student course information. Additionally, the adversaries gained access to nearly 500,000 student records that included names, date of birth, sexuality, course taken, and grade levels.

The researchers noted that the potentially stolen data may have been from 2015 to 2019.

For the staff records, the exposed data included names, schools, work email addresses, work schedules, class meetings, and courses taught.

Fortunately, the infected systems did not host financial information, health data, social security numbers, or home addresses. The secured data will mitigate the potential impact of the breach, which could pave the way for more convincing phishing messages.

CPS noted that every individual affected by the cybercriminal activity is eligible for accessing credit monitoring and identity theft protection for free.

The delay in notifying affected customers about the breach has provoked some criticism on social media. The supplier’s incompetence has resulted in a catastrophic event that can potentially harm teachers and students.

About the author

Leave a Reply