Almost 500K Chicago students' data exposed in ed tech ransomware breach

In a late Friday news dump, Chicago Public Schools (CPS) announced a massive breach of the personal data of almost half a million students and more than 56,000 teachers. Parents and guardians were sent individual notices if their child’s data was included in the breach. The data, which spanned four schools years, 2015-16 through 2018-19, was part of a ransomware attack on a non-profit ed tech vendor Battelle for Kids, which has had a contract with CPS since 2012.

We think it’s worth noting that there would have been no obligation to notify parents of this breach at all had the IL General Assembly not passed an amendment to IL's Student Online Privacy Protection Act (SOPPA) in 2019—legislation that was spearheaded and drafted by IL Families for Public Schools.

The original version of SOPPA passed in 2017 didn't even include the word breach! And most types of student data, including the types involved in this breach, aren't covered under IL's more general Personal Information Protection Act. After the massive nationwide Pearson AIMSweb breach in 2019 (before the SOPPA amendments took effect) it required major prodding to get CPS to admit that CPS data was involved

This is the first major student data breach since the amendments went into effect, and we’re glad to see the school district notifying parents relatively promptly, including those of children whose data wasn’t exposed. (CPS's online notice of the breach can be found here.)

That said, SOPPA has other important provisions as well, and neither CPS nor the vendor appear to have been in full compliance. 

For example, school districts are required to make public which third-parties student data is being shared with, and details on what data is being shared, and Battelle for Kids is not even listed in the CPS online database of SOPPA vendors/software. There should be a copy posted there of the latest agreement with Battelle, which was to start on Feb 1 2022, along with a list of the data elements being shared with Battelle. That most recent agreement with Battelle for Kids isn't on the general CPS contract page either yet, and only the Board approval of the agreement is posted on the Chicago Board of Education site. SOPPA requires that posting within 30 days of the contract being signed.

[Update 6/7/2022: We made a FOIA request for the most recent contract between CPS and Battelle. You can download a copy of it here.]

Disturbingly, in a letter to IL-FPS last July the CPS Law and IT Depts refused to tell us in response to our written inquiry whether Battelle for Kids was being treated as an operator under SOPPA. This was despite the fact that they had just signed an update to their existing agreement with Battelle on June 30, 2021—specifically to incorporate new requirements in order to comply with the new CPS SOPPA policy.

According to a statement on the CPS website, Battelle was in violation of their contact with CPS because they did not notify the district immediately. The breach took place on December 1, 2021, and they notified CPS on April 26, 2022. This is also a violation of SOPPA which requires operator notification of a school within 30 days.

There are also questions about whether Battelle should have had such old data still in its possession. Why wasn’t this data deleted long before it could be stolen? Although we do not have a copy of the current contract, that 6/30/2021 addendum’s terms state that data should be deleted after completion of any required reports on the vendor’s services provided. Surely data from six school years ago should have been destroyed at this point.

And parents, teachers and privacy advocates should also be asking not only why this data was still being held, but whether it should have ever been collected in the first place. The data in question was shared with Battelle as part of the teacher evaluation system. Since 2012, teachers in Illinois public schools must be evaluated based on the performance of the individual students they teach, a system known in Chicago Public Schools as REACH. REACH was put into place to comply with teacher evaluation reforms passed as part of state law so that the state could apply for funds from the Obama-era Race to the Top federal grant program. Research released last December definitively demonstrated that those reforms was a complete and utter waste of time 

On a brighter note, the Federal Trade Commission unanimously passed a policy statement this past week saying that they will be going after ed tech companies, including for things like sitting on old data that should have been destroyed. Read their announcement about this here. Unfortunately, the FTC’s enforcement in this case only applies to the federal Children’s Online Privacy Protection Act (COPPA). But COPPA does not apply to non-profits, like Battelle for Kids, nor to children over age thirteen years.

COPPA urgently needs to be extended to cover older youth, and, really, the US needs comprehensive privacy protections of children and, in fact, people of all ages. You can read more about that here and send a message to your representatives in DC via this link.

If you were impacted by this Battelle for Kids breach and have further questions, please reach out: [email protected], and we’ll do our best to help you hunt down the answers!