Ransomware

Battelle For Kids Data Breach Impact Spreads from Ohio to Illinois, Now Includes 600K+ Students

• By Kristal Kuykendall
• 05/24/22

The impact of a major data breach at another ed tech provider has now spread to a second state as the number of students whose personal data was compromised continues growing.

Nonprofit provider of K–12 assessment and professional development solutions Battelle For Kids today confirmed it suffered a ransomware attack in December that resulted in a data breach impacting former and current students. BFK declined to answer questions about how many students or school districts were impacted, in an email reply to THE Journal. BFK’s most recent annual report states it serves 267 school systems in the United States including 2.8 million K–12 students.

Chicago Public Schools on Friday became the fourth U.S. school district to publicly announce its students were among those whose private information was stolen in the Dec. 1, 2021, ransomware attack on Battelle For Kids. The district’s notification letter, posted on its website, said CPS was “recently notified” that students enrolled between 2015 and 2019 were among those whose private information was stolen during the cyber incident.

“Specifically, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018, and/or 2018-2019,” the CPS letter stated. “The (BFK) server did not store any other information about your child. No Social Security numbers, no financial information, no health data, no current course or schedule information, and no course grades or standardized test scores were involved in this incident.”

According to the Chicago Sun-Times, CPS said the breach impacted a total of 500,000 former and current students and about 60,000 staff members and was “caused [and] exacerbated by BFK’s failure to follow the information security terms of their contract,” more specifically failing to encrypt data and purge old records.

In the past month, three school districts in Ohio have publicly posted notification letters stating their students were impacted by the Battelle For Kids data breach — going back to 2010 in some cases.

Fairfield City School District, with current enrollment of about 10,000, notified parents on May 2; its letter said students from as far back as 2011 were impacted, including the following grades and years:

• 2011-12: Grades 3-12
• 2012-13: Grades 3-12
• 2013-14: Grades K-9
• 2014-15: Grades K-12
• 2015-16: Grades PreK-12
• 2016-17: Grades PreK-12
• 2017-18: Grades PreK-12

Valley View Local School District in Germantown, Ohio, with enrollment of about 2,000, also notified parents of the data breach several weeks ago, after learning of the breach from Battelle For Kids on April 5. The district’s notification does not state the total number of students impacted nor the years or grades of those impacted.

Upper Arlington School District of Upper Arlington, Ohio, with enrollment of about 6,100, stated in an undated notification on its website that a data breach at BFK impacted “some of our former and current students from the Class of 2013 through the Class of 2022,” including the following grades and years:

• 2010-2011: Grades 2, 3, 5, 7, 10;
• 2011-2012: Grades K-8, 10-12;
• 2012-2013: Grades 1-8, 10, 11, 12;
• 2013-2014: Grades 2-8
• 2014-2015: Grades 3-12

Battelle For Kids said in a statement emailed to THE Journal that the data breached during the December 2021 ransomware attack did not include Social Security numbers nor any financial information, nor health data, nor course grades.

“This incident has been reported to and investigated by the appropriate law enforcement authorities, including the Federal Bureau of Investigation and the Department of Homeland Security” BFK said in the statement. “Battelle for Kids and our cybersecurity advisors are actively monitoring the internet in case the data is posted or distributed. We can report that as of this time, there is no evidence to suggest that the data has been misused, posted, or distributed.”

BFK made it clear in its notification letters sent to districts that it doesn’t believe the breach requires notification or public disclosure under any laws governing student data privacy, perhaps anticipating the complaints voiced Friday by Chicago school officials about the five-month delay between the actual incident and the district learning of the breach.

“These data elements are not considered personally identifiable information, and the data compromise does not trigger legal notification to the impacted students or parents of the impacted students under state data breach laws,” Battelle For Kids’ breach notification letter to Ohio's Valley View district stated. “However, these data elements may be considered personally identifiable information under FERPA, which does trigger an obligation for you to maintain a record of this disclosure with the education records of the affected students for as long as the education records are maintained. Please reach out to us at [email protected] with questions.”

Chicago schools’ letter to parents noted: “Although the data that was inappropriately accessed did not include any financial information or your child’s Social Security number, we know that you may be concerned about fraudulent activity on your child’s behalf.” The district is offering those impacted a year of free credit monitoring and identity theft protection.

The Battelle For Kids data breach notifications have followed closely the disclosure of a data breach at Illuminate Education, whose impact has spread to five states and 2 million former and current students.