The data breach happened on December 1, and the district was notified on April 26 by technology vendor Battelle for Kids. According to CPS, a server used to store student and staff information was compromised, and records dating back four years were accessed.
CPS reported that 495,448 student and 56,138 employee records were accessed from 2015-16 to 2018-2019 school years. The data contained students' names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information, and course-specific assessment scores used for teacher evaluations.
For the years accessed, employee data included names, employee identification numbers, school and course information, as well as emails and usernames.
The compromised server, according to CPS, did not store any other records.
"No Social Security numbers, financial information, health data, current course or schedule information, home addresses, or course grades, standardized test scores, or teacher evaluation scores were exposed as a result of this incident," the district said in a statement.
CPS stated that there is no evidence that the data was misused, posted, or distributed, but it did offer a year of credit monitoring and identity theft protection to affected families.
According to CPS officials, the district has informed affected families and staff, and those whose records were not accessed will be notified "to provide them with peace of mind."
The FBI and DHS both investigated the breach, according to CPS, and the vendor is "monitoring and will continue to monitor the internet in case the data is posted or distributed."
Battelle for Kids was hired to help district leaders implement CPS' REACH teacher evaluation program. These assessments consider the annual improvement in students' academic performance.
CPS was notified of the breach by Battelle for Kids via mailed letter on April 26, but it "did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11."
CPS stated that it is "addressing the delayed notification and other issues in data handling with Battelle for Kids" because its contract with the vendor requires it to notify the district of any data breach immediately.
Battelle for Kids said in a statement to the Chicago Sun-Times on Friday that it "immediately engaged a national cybersecurity firm to assess the scope of the incident and took steps to mitigate the potential impact."
The company stated that it has since implemented stronger security protocols, but it did not explain why it did not notify CPS of the breach while the assessment was being conducted.
CPS has been working with Battelle for Kids since 2012, according to the Chicago Sun-Times. The most recent contract, signed a month after the breach, is expected to be worth around $90,000 for the fiscal year ending January 31, 2023.
The Board of Education paid the Ohio-based company $1.4 million between 2012 and 2020, according to an online database of CPS vendor payments.