Chicago Public Schools and law enforcement are investigating a data breach that exposed current and former students’ personal information.
Cleo, a file transfer software vendor used by the school district, was the subject of a cyber-attack late last year in which student data was accessed and published to the dark web, CPS said in a statement.
The data breach affected roughly 700,000 students dating back to the 2017-18 school year, CPS said. Students’ names, dates of birth, gender and their CPS student ID numbers were accessed. Students enrolled in Medicaid also had their Medicaid ID number and dates of eligibility exposed.
Social Security numbers, financial and health information were not exposed in the breach, CPS said.
“At this time, there is no evidence to suggest that any student data has been misused. No staff information was involved in this incident,” CPS said.
The school district immediately informed law enforcement, including the FBI and the Illinois attorney general’s office, of the data breach.
“CPS is deeply committed to the security of student information, and we expect the same level of care and commitment from our vendors,” the school district said in a statement.
“As an organization, CPS takes proactive measures to limit exposure by continuously strengthening our defenses and including strong provisions in vendor contracts to ensure data is protected. Through ongoing diligence and improvement, we will continue to adapt our security posture to reduce the risk of future breaches.”