If there is a Keystone Cops equivalent of a k-12 data breach, a recent incident involving Chicago Public Schools may be a strong contender.
Last week, this site noted a breach that seemed puzzling in its description. Since that time, some informed parents have reached out to me to provide me with more details about the incident.
It all started when Chicago Public Schools (CPS) sent a letter to parents of students who were eligible to select other schools for the 2018-2019 school year. The letter was intended to instruct the parents how to review the schools that their child was eligible for and how to indicate their choice.
Based on what was provided to DataBreaches.net by Cassie Creswell, co-director of Raise Your Hand Action, a Chicago-based public education advocacy group, it appears that instead of the letter having an attachment, the letter (only) contained a link to a file on Blackboard. That file contained 3,700 students’ and parents’ information. So every recipient who clicked on the link in the email would have seen – and could have downloaded – a file with thousands of students and parents’ information.
Why that file should be up on Blackboard with absolutely no login required was not explained by CPS in their breach notification letter.
According to Cressell, the fields were in the following format:
First_Name Last_Name HomePhone WorkPhone MobilePhone SMSPhone EmailAddress ReferenceCode Building
The names are the student’s name, the phone numbers and email are for the parent, and the reference code is the child’s CPS student ID number, Creswell explained. The field labeled “Building” contained a list of one or more types of selective schools: AC, Regional Gifted Centers, Classical.
Frustratingly, it appeared that although CPS fairly quickly realized that they had had a data breach, they didn’t quite understand the nature of the breach. Initially, as their notification letter suggested, they seemed to believe that parents had actually received an attached file with 3,700 students’ information. Hence, they asked parents to basically “do the right thing” and delete the attachment without looking at it.
But there was no attachment, and it took CPS more than 4 hours to figure out that instead of asking parents to delete a nonexistent attachment, they needed to remove the unsecured file from Blackboard or otherwise lock it down.
So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard. And any parents who hadn’t already accessed that file when they first got an email from CPS might have become curious and taken a look at the file in the more than 5 hours it allegedly took CPS to actually secure the file.
To make matters even worse, there’s some indication that this was not the first time CPS had made this exact type of error. DataBreaches.net was provided with a text copy of an email sent by CPS on March 10, 2017 that contacted parents about selective enrollment, and that supposedly contained an attachment, but actually contained a link to a live file on Blackboard:
*File attachments:*
SEHS Confirmation Reminder.csv
<https://connectdocs.blackboard.com/<redacted by DataBreaches.net>
This certainly appears to be the same scenario as the recent breach, and DataBreaches.net has reached out to CPS to ask them to confirm or deny whether this was the same kind of breach.
In a statement to DataBreaches.net, Creswell summarized parental frustration and fears:
We are deeply concerned about yet another improper sharing incident of student data in Chicago Public Schools. The district’s response to being notified of the breach was especially concerning because (1) it was clear that they initially didn’t understand how the data had been shared (on the web vs as an email attachment), and it took hours for them to disable the web site. And (2) this is at least the second time that they’ve made this exact mistake.
CPS has a $950K contract with Blackboard Connect, but it seems that they haven’t received either the training or the support needed to properly use this product, one which interfaces with their own Student Information System.
This is just an error that’s come to light publicly; what else is happening that the parents and the public don’t even see?
As noted above, DataBreaches.net reached out to CPS to ask them to confirm or deny that this was the second time that parents had been given a link to a file on Blackboard instead of being provided an attached form to complete. DataBreaches.net also posed two additional questions to Tony Howard, Executive Director, CPS Office of Access and Enrollment:
In terms of the current/most recent incident: Who determined that a file should be uploaded to Blackboard and made available without any login required? Was that an executive decision or did some hapless employee just screw up or….?
and
Is someone going to reconfigure connect.blackboard to require at least a password to access files on it? I’m concerned that someone could have uploaded a spreadsheet with hundreds of thousands of student names, IDs, and medical or SpEd information or other sensitive info.
No response was immediately received, but that is not surprising on a weekend and holiday. This post will be updated if a reply is received.