Chicago Public Schools (CPS) disclosed on Friday that students may have had their data taken in a ransomware incident involving one of its vendors.

The ransomware attack happened last December at Battelle for Kids (BfK), based in Columbus Ohio, which develops services to provide innovation in schools for students and teachers.

Breaching education

Around 490,000 students and 56,000 employees found their data breached by those responsible for the ransomware. The data accessed by criminals, stretching from 2015 to 2019, included a variety of information potentially including:

  • Name
  • School
  • CPS email
  • Employee ID number
  • Battelle for Kids username

The notification breach says that home addresses, health/financial information, and social security numbers were not exposed.

Chicago Public Schools is offering free credit monitoring for those affected.

A late notification

The breach occurred in December but the notification did not, which raises several questions related to lateness of notification for those impacted. According to Bleeping Computer, the CPS contract with BfK means immediate notification of any data breach.

Despite this, it took no fewer than four months to get word out that something had occurred. Letters pertaining to the breach were sent out towards the end of April. The reason for this is that it took this long to verify the breach had actually taken place. That isn’t all, however. Other breaches related to the compromise of Battelle for Kids suggests private student data was revealed “as far back as 2011”.

According to the Chicago Sun Times, a spokesperson for CPS says the breach was “caused [and] exacerbated by BfK’s failure to follow the information security terms of their contract”. They go on to single out a failure to encrypt data and purge old records. We talk about ransomware breaches often, and frequently mention the benefits of having a sensible back-up plan. This sounds like a case which may well have benefited greatly from this approach.

Schools: a ripe target for ransomware

All forms of education are an increasingly popular place to be for ransomware criminals. Schools, Universities, and (as we see above) third-party organisations are all valid targets. Even if the schools have a watertight security setup, it may not be the case for external suppliers and other entities interacting with the data in some way.

Outbreaks in schools and universities may not be life-threatening in the way attacks on the healthcare sector can be. However, severe delays to applications, operations, and teaching generally can have a big impact on students.

Tips to avoid ransomware

  • Keep devices updated. Secure your devices with the latest updates and patches. It’s not just the Operating System you have to consider here. Outdated software and applications are frequently the launchpad for exploits leading to ransomware attacks.
  • Update your security software. Often your first line of defence, help it to help you by automating updates and scans.
  • Strengthen remote access. A common ransomware pitfall is leaving remote services unsecured. Provide a limit on password guess attempts for remote desktops. You can also combine remote services with multifactor authentication.
  • Avoid strange attachments. Booby-trapped Word/Excel documents are a big threat in these realms, especially where Macros are concerned.
  • Browser controls for bad ads. Malvertising is another method for dropping ransomware onto systems. Restricting certain features like JavaScript will help, though this may make some sites unusable in places. Dedicated extensions which control scripts more generally, tracking, or untrustworthy ad networks will also help.
  • Encrypt and back it up. Keep your data encrypted whenever possible, and get into the habit of backing up regularly. Store backups externally, away from the main network. Ensure your backups are stored in a logical way and not a confused mess of folders and files, so you can easily find and restore files if you need to.