The breach allegedly targeted a vendor the school district uses to house data.
According to Chalkbeat Chicago, Chicago Public Schools (CPS) recently announced that they had been the victim of a cyberattack. The ransomware attack is linked to Russian hackers and allegedly took place last year, resulting in about 700,000 current and former students having their data stolen. The district learned of the breach on February 8th, 2025.
For some students, leaked data included names, dates of birth, gender information, and their student ID numbers. For approximately 344,000 individuals, roughly half of those impacted, Medicaid ID numbers and dates of program eligibility were also included in the breach.
CPS wasn’t the only organization impacted by the breach; over 60 other organizations that also use the same vendor were hacked.
According to the breach notification, published online, the impacted vendor is named Cleo and is used as a file transfer software, allowing the district to send data to external organizations.
The student data was originally encrypted, and CPS compared the hackers to functionally stealing a locked briefcase without the key. However, the hackers were ultimately able to break the encryption, allowing them to access the student’s information. It’s believed the information is now on the dark web, although the district said they have received no evidence that the data has been misused.
In a statement, the district said, “While we are still investigating this incident, we believe that all current students, and all former students dating back to the 2017-2018 school year were impacted.”
The district noted they were never contacted about paying a ransom in return for the stolen data. CPS stated they have been working with multiple agencies, including the FBI, the Department of Homeland Security, the State of Illinois Department of Innovation and Technology, and other agencies to investigate the breach.
While concluding the statement, CPS said they remain “deeply committed to the security of student information, and we expect the same level of care and commitment from our vendors…Through ongoing diligence and improvement, we will continue to adapt our security posture to reduce the risk of future breaches.”
Like in the healthcare sector, public schools often hold valuable personal, and sometimes medical, information. In this case, the hackers were able to access some Medicaid information, which could be used to commit Medicaid fraud by malicious actors.
Nearly every organization holds some valuable information on their patients or clients, making it important to always proactively engage in cybersecurity measures. This incident also highlights how vendors can become vulnerable if they do not prioritize cybersecurity.
Related: HIPAA Compliant Email: The Definitive Guide.
Organizations should always sign a Business Associate Agreement with vendors or third-parties. These agreements outline what cybersecurity protocols the vendor should have in place and can also allow the initiating organization to audit the vendor.
Organizations may face financial penalties and increased monitoring from governing agencies. It’s also increasingly common for victims to seek restitution through class action lawsuits.