Cyber Incident Victim: Chicago Public Schools
Date:
Dec 2024
Location:
United States of America
Summary
A technology vendor used by Chicago Public Schools experienced unauthorized system access, compromising personal data of current and former students. Exposed information included names, birthdates, genders, student identification numbers, and—for Medicaid-enrolled individuals—Medicaid IDs with program eligibility periods. No Social Security numbers, financial records, or health data were accessed. The incident affected individuals associated with the district over multiple academic years, potentially impacting hundreds of thousands due to the system's large enrollment. While critical financial identifiers remained secure, the breach exposed sufficient data to warrant identity theft concerns. Officials confirmed the intrusion targeted the vendor's file transfer infrastructure, emphasizing the compromised dataset's scope without sensitive financial or health details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late 2024, a cybersecurity incident occurred involving Chicago Public Schools (CPS) through a breach of Cleo, a third-party file transfer software vendor utilized by the district. The unauthorized access to Cleo's systems exposed personal information of all current and former CPS students dating back to the 2017-2018 academic year. CPS publicly disclosed the breach on March 1, 2025, confirming that compromised data included student names, dates of birth, gender, and CPS student ID numbers. For students enrolled in Medicaid programs, additional exposed information consisted of Medicaid ID numbers and dates of program eligibility. District officials emphasized that no Social Security numbers, financial account details, or health records beyond Medicaid identifiers were accessed during the intrusion. With current enrollment exceeding 320,000 students and historical data spanning eight academic years, the breach potentially impacted hundreds of thousands of individuals.
The district directed all affected current and former students to review their credit reports following the disclosure. Governors State University professor Bill Kresse, a certified fraud examiner, characterized the breach as serious but noted the absence of highly sensitive financial identifiers limited its long-term severity compared to incidents involving Social Security numbers. Kresse warned that threat actors could potentially correlate the stolen CPS data with other breached information to facilitate identity theft schemes, citing established patterns of cybercriminals compiling composite profiles from multiple sources. CPS did not disclose technical details regarding the intrusion vector, containment measures implemented, or forensic investigation timeline beyond confirming the vendor-based origin of the breach. The district's announcement focused exclusively on student data impacts, with no mention of potential compromise involving employee records, parent information, or institutional financial systems.