DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More details emerge about Chicago Public Schools data breach

Posted on June 18, 2018 by Dissent

If there is a Keystone Cops equivalent of a k-12 data breach, a recent incident involving Chicago Public Schools may be a strong contender.

Last week, this site noted a breach that seemed puzzling in its description. Since that time, some informed parents have reached out to me to provide me with more details about the incident.

It all started when Chicago Public Schools (CPS) sent a letter to parents of students who were eligible to select other schools for the 2018-2019 school year. The letter was intended to instruct the parents how to review the schools that their child was eligible for and how to indicate their choice.

Based on what was provided to DataBreaches.net by Cassie Creswell, co-director of Raise Your Hand Action, a Chicago-based public education advocacy group, it appears that instead of the letter having an attachment, the letter (only) contained a link to a file on Blackboard. That file contained 3,700 students’ and parents’ information. So every recipient who clicked on the link in the email would have seen – and could have downloaded – a file with thousands of students and parents’ information.

Why that file should be up on Blackboard with absolutely no login required was not explained by CPS in their breach notification letter.

According to Cressell, the fields were in the following format:

First_Name Last_Name HomePhone WorkPhone MobilePhone SMSPhone EmailAddress   ReferenceCode  Building

The names are the student’s name,  the phone numbers and email are for the parent, and the reference code is the child’s CPS student ID number, Creswell explained.  The field labeled “Building” contained a list of one or more  types of selective schools: AC, Regional Gifted Centers, Classical.

Frustratingly, it appeared that although CPS fairly quickly realized that they had had a data breach, they didn’t quite understand the nature of the breach. Initially, as their notification letter suggested, they seemed to believe that parents had actually received an attached file with 3,700 students’ information. Hence, they asked parents to basically “do the right thing” and delete the attachment without looking at it.

But there was no attachment, and it took CPS more than 4 hours to figure out that instead of asking parents to delete a nonexistent attachment, they needed to remove the unsecured file from Blackboard or otherwise lock it down.

So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard.  And any parents who hadn’t already accessed that file when they first got an email from CPS might have become curious and taken a look at the file in the more than 5 hours it allegedly took CPS to actually secure the file.

To make matters even worse, there’s some indication that this was not the first time CPS had made this exact type of error. DataBreaches.net was provided with a text copy of an email sent by CPS on March 10, 2017 that contacted parents about selective enrollment, and that supposedly contained an attachment, but actually contained a link to a live file on Blackboard:

*File attachments:*
SEHS Confirmation Reminder.csv
<https://connectdocs.blackboard.com/<redacted by DataBreaches.net>

This certainly appears to be the same scenario as the recent breach, and DataBreaches.net has reached out to CPS to ask them to confirm or deny whether this was the same kind of breach.

In a statement to DataBreaches.net, Creswell summarized parental frustration and fears:

We are deeply concerned about yet another improper sharing incident of student data in Chicago Public Schools. The district’s response to being notified of the breach was especially concerning because (1) it was clear that they initially didn’t understand how the data had been shared (on the web vs as an email attachment), and it took hours for them to disable the web site. And (2) this is at least the second time that they’ve made this exact mistake.

CPS has a $950K contract with Blackboard Connect, but it seems that they haven’t received either the training or the support needed to properly use this product, one which interfaces with their own Student Information System.

This is just an error that’s come to light publicly; what else is happening that the parents and the public don’t even see?

As noted above, DataBreaches.net reached out to CPS to ask them to confirm or deny that this was the second time that parents had been given a link to a file on Blackboard instead of being provided an attached form to complete. DataBreaches.net also posed two additional questions to Tony Howard, Executive Director, CPS Office of Access and Enrollment:

In terms of the current/most recent incident: Who determined that a file should be uploaded to Blackboard and made available without any login required? Was that an executive decision or did some hapless employee just screw up or….?

and

Is someone going to reconfigure connect.blackboard to require at least a password to access files on it? I’m concerned that someone could have uploaded a spreadsheet with hundreds of thousands of student names, IDs, and medical or SpEd information or other sensitive info.

No response was immediately received, but that is not surprising on a weekend and holiday. This post will be updated if a reply is received.

Category: Breach IncidentsEducation SectorExposureOf Note

Post navigation

← All members of Rex Mundi have now been arrested – Europol report
Authorities shut down Dark Web marketplace “Black Hand” →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.