Cyber Incident Victim: Battelle for Kids
Date:
Dec 2020
Location:
United States of America
Summary
A ransomware attack on Battelle for Kids, a nonprofit educational vendor, compromised sensitive data belonging to hundreds of thousands of students and employees from Chicago Public Schools and other districts. The breach exposed personal information including names, birth dates, student and employee IDs, course details, and assessment scores from multiple past school years, though financial and health data remained unaffected. The vendor delayed notifying affected school systems for several months while conducting forensic analysis and cooperating with law enforcement. No public data leak occurred, suggesting potential ransom payment, though the responsible threat actor remains unidentified. Impacted individuals were offered credit monitoring and identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 1, 2020, Battelle for Kids, an Ohio-based not-for-profit educational organization providing student data analysis services to public school systems, suffered a ransomware attack compromising sensitive information. The breach impacted Chicago Public Schools (CPS), which partnered with Battelle for Kids to upload student course information and assessment data for teacher evaluations. Attackers accessed stored data from school years 2015 through 2019, exposing personal details of 495,448 students and 56,138 CPS employees. Student records included names, dates of birth, genders, grade levels, schools attended, CPS student IDs, State Student IDs, course enrollment details, and teacher evaluation performance task scores. Employee data exposed names, school assignments, employee ID numbers, CPS email addresses, and Battelle for Kids usernames. No Social Security Numbers, home addresses, health records, or financial information were compromised. CPS first learned of the breach on April 26, 2022—four months after the incident—due to Battelle for Kids’ delay in notification while verifying the breach’s authenticity through independent forensic analysis and law enforcement investigations. Specific details about affected individuals were not provided to CPS until May 11, 2022.
In response to the breach, Chicago Public Schools implemented free credit monitoring and identity theft protection services for impacted students and staff, with enrollment instructions published on a dedicated CPS data breach notification webpage. The district noted that its contract with Battelle for Kids mandated immediate breach disclosure, but the vendor cited investigative delays as justification for the four-month notification gap. No ransomware group publicly claimed responsibility for the attack or leaked stolen data, which industry observers noted could indicate Battelle for Kids complied with ransom demands to prevent data publication. Battelle for Kids, which works with 267 school systems serving over 2.8 million students, faced additional breach disclosures in April 2022 when Ohio school districts began notifying affected individuals. CPS confirmed the compromised data related exclusively to historical records from 2015-2019 school years and emphasized no operational systems or current academic records were impacted. The incident highlighted third-party risks in educational data partnerships, particularly involving sensitive student performance metrics stored by external vendors.