CPS confirms Chicago affected by Pearson AIMSweb breach

On Wednesday September 25th, Chicago Public Schools Chief Information Officer Phil DiBartolo confirmed that Illinois' largest school district, Chicago Public Schools, was also part of the Pearson AIMSweb data breach that Pearson first announced in July.

In response to an email inquiry the previous week from Cassie Creswell of IL Families for Public Schools, DiBartolo wrote:

"We have been working for the past several weeks to piece together the data that Pearson provided as part of their notification. The AIMSweb product was used at the school level and the data was input manually, therefore it took quite a bit of time to validate the data. It was of primary importance for us to analyze the data thoroughly before we could confidently ensure that we had our arms around the issue and had properly identified the affected students and staff.

We have begun notifying students whose data was mishandled by Pearson, including students who graduated or left the district. These notifications are in flight and the communications are coming from central office, with myself as signatory.  The notification to affected parties includes details on Person’s offer of two-years of identity monitoring. We are notifying parents of affected students directly."

In July Pearson began notifying 13,000 school districts and universities that its AIMSweb product was breached in November 2018. Pearson discovered the breach in March. We're keeping a running list of all Illinois school districts known to be affected by the breach on this page.

The breach included AIMSweb 1.0 accounts going back to 2001 (and possibly longer) and included students' names, emails and some birth dates and student ID numbers. In some districts teacher and staff info was also breached. Here's one of the notification letters Pearson sent to school districts.

Chicago civil rights law firm Loevy & Loevy has filed a class action suit against Pearson for this breach. If you or your child were affected, and you'd like to get in touch with the attorneys, you can email databreach@loevy.com. You can read the full legal complaint here.

CPS has not released a list of schools affected. Based on detailed vendor payment that CPS had previously posted online, we have found at least 50 schools that paid NCS Pearson for AIMSweb related products between June 2009 and June 2016.(List here.) Note that this may not be a comprehensive list of affected schools because these payments only go back to mid-2009, and it's possible that students at other schools had their data included in AIMSweb.

 

[Graphic used via Creative Commons]

connect