Breach Notifications | Chicago Public Schools

Updated March 7, 2025

Breach Notification for March 7, 2025

Below is an official notification of a breach involving a CPS vendor, Cleo.

Current families who were impacted by the breach will receive an emailed copy of the message below. Former CPS families who were impacted will receive a copy via U.S. Mail. The message below is in English and Spanish; to view an auto-translated version in another language, please use the “select language” tool in the top right corner of this webpage.

Important Information Regarding Unauthorized Disclosure of Student Information

Dear CPS Families and Staff:

Chicago Public Schools was recently made aware of a data security incident involving one of our vendors where certain student data was accessed by an unauthorized third party. This letter contains information about the incident, our response, and resources that you may find useful. At this time, there is no evidence to suggest that any student data has been misused.

Overview of Incident

Late last year, a technology vendor for CPS called Cleo was the victim of a cyberattack on a server used to store data about current and former CPS students. Cleo is a file transfer software used by the District for Electronic Data Interchange (EDI) with external entities. On Saturday, February 8th, CPS learned that student data had been inappropriately accessed during this incident.

Specifically, an unauthorized party gained access to students’ names, date of birth, gender, and Chicago Public Schools student ID number. For students who are enrolled in the federal Medicaid program, students’ Medicaid ID number and dates of program eligibility were also exposed. While we are still investigating this incident, we believe that all current students, and all former students dating back to the 2017-2018 school year were impacted. Importantly, no Social Security numbers, no financial information, and no health data were involved in this incident. CPS does not collect student Social Security numbers. No staff information was involved in this incident.

Information about Medicaid ID Numbers

When an individual enrolls in the Medicaid program, they are assigned an ID number by the State of Illinois, similar to how a private health insurance company assigns an individual member an ID number. Medicaid ID numbers—also known as Recipient Identification Numbers or RINs—cannot be used to obtain a Social Security number, open a bank account, open a line of credit, or open a credit card.

How CPS is Responding to this Incident

This incident has been reported to the appropriate law enforcement authorities, including the Federal Bureau of Investigation (FBI) and the Illinois Attorney General. CPS is continuing to assist law enforcement with this ongoing investigation.

The District is also working with the appropriate state and federal administrative agencies, as well as the vendor responsible for the breach. If there are any steps that families should take, and/or if the District is able to secure any additional resources for families beyond those listed below, those will be made available on this page.

Resources for Families

While no Social Security numbers, no financial information, and no health data were involved in this incident, we know that you may be concerned about fraudulent activity on your child’s behalf.

You can request a free credit report through annualcreditreport.com. Reviewing your credit report can help you catch signs of identity theft early. You can also contact one of the consumer reporting agencies to place a free fraud alert or security freeze on your credit files. A fraud alert lets creditors know to contact you before opening any new accounts. A freeze prevents a business, bank, or lender from seeing your credit report until you verify your identity with the consumer reporting agencies and confirm that it really is you, and not an impostor, applying for credit. You may contact any of these consumer reporting agencies to place a fraud alert or credit freeze on your accounts:

Equifax

www.equifax.com/personal

P.O. Box 105788
Atlanta, GA 30349
888-766-0008

Experian

www.experian.com

P.O. Box 9554
Allen, TX 75013
888-397-3742

TransUnion

www.transunion.com

P.O. Box 2000
Chester, PA 19016
800-680-7289

You may also contact the Federal Trade Commission to learn more about fraud alerts, credit freezes, or other identity theft resources:

Federal Trade Commission

600 Pennsylvania Ave., NW
Washington, DC 20580

877-382-4357 (Consumer Help Line)
877-438-4338 (Identity Theft Line)

www.ftc.gov
IdentityTheft.gov

CPS is deeply committed to the security of student information, and we expect the same level of care and commitment from our vendors. As an organization, CPS takes proactive measures to limit exposure by continuously strengthening our defenses and including strong provisions in vendor contracts to ensure our data is protected. Through ongoing diligence and improvement, we will continue to adapt our security posture to reduce the risk of future breaches.

Please know that the protection of your child’s personal information is a top priority, and we sincerely regret any concern or inconvenience that this matter may cause you.

Sincerely,

Norman P. Fleming
Chief Information Officer
Chicago Public Schools

Notificación de Incumplimiento del 7 de marzo de 2025

Información importante sobre la divulgación no autorizada de información estudiantil

Estimadas familias y personal de las CPS:

Las Escuelas Públicas de Chicago recientemente fueron informadas de un incidente de seguridad de datos que involucra a uno de nuestros proveedores, en el cual una tercera parte no autorizada logró obtener acceso a cierta información estudiantil. Esta carta contiene información sobre el incidente, nuestra respuesta, y algunos recursos que les pueden ser de utilidad. Al momento no hay evidencia que sugiera que la información estudiantil haya sido mal usada.

Resumen del incidente

A finales del año pasado, un proveedor de tecnología de las CPS llamado Cleo fue víctima de un ciberataque a un servidor utilizado para almacenar información sobre estudiantes de las CPS actuales y pasados. Cleo es un programa de transferencia de archivos digitales utilizado por el Distrito para facilitar el intercambio de información electrónica (EDI, según sus iniciales en inglés) con entidades externas. El sábado, 8 de febrero, las CPS se enteraron de que, durante este incidente, se había accedido indebidamente a información estudiantil.

Más específicamente, una entidad no autorizada obtuvo acceso a los nombres, las fechas de nacimiento, los sexos y los números de identificación estudiantil de estudiantes de las CPS. También se obtuvo acceso indebido a los números de identificación del programa federal Medicaid y las fechas de elegibilidad de dicho programa de aquellos estudiantes inscritos en éste. Aunque todavía estamos investigando este incidente, creemos que fueron impactados todos los estudiantes actuales, y todos los antiguos estudiantes desde el año escolar 2017-2018 hasta el presente. Un detalle importante es que este incidente no involucró números de Seguro Social, información financiera o información de salud. Las CPS no almacenan números de Seguro Social estudiantiles. Este incidente no involucró información sobre el personal.

Información sobre los números de identificación de Medicaid

Cuando un individuo se inscribe en el programa de Medicaid, se le asigna un número de identificación, similar a los números de identificación que los planes de seguro médico privado asignan a sus miembros. El número de identificación de Medicaid —también conocido como Recipient Identification Number o RIN— no puede ser utilizado para obtener números de Seguro Social, abrir cuentas de banco o líneas de crédito, u obtener tarjetas de crédito.

Cómo han respondido las CPS a este incidente

Este incidente ha sido reportado a las autoridades de orden público apropiadas, incluyendo la Oficina Federal de Investigaciones (FBI, según sus iniciales en inglés) y el fiscal general de Illinois. Las CPS continúan asistiendo a dichas autoridades con esta investigación, que todavía prosigue.

El Distrito también está trabajando con las agencias administrativas estatales y federales relevantes, y el proveedor responsable por el incidente. De haber algún paso que deberían tomar las familias, o si el Distrito logra asegurar recursos adicionales para las familias además de los que se mencionan a continuación, estarán disponibles en cps.edu/databreach.

Recursos para las familias

Aunque este incidente no involucró información financiera o números de Seguro Social, sabemos que ustedes los padres y tutores legales pueden estar preocupados de que se lleve a cabo actividad fraudulenta en nombre de sus estudiantes.

Primero, pueden obtener un informe de crédito gratis por medio de annualcreditreport.com. El revisar su informe de crédito puede ayudarlos a encontrar tempranamente indicios de robo de identidad. También pueden contactar a una de las siguientes agencias de informes de crédito para ejecutar gratuitamente una alerta de fraude o congelamiento de seguridad a sus expedientes de crédito. Una alerta de fraude informa a los acreedores que deben contactar al dueño de una cuenta antes de abrir cuentas nuevas. Un congelamiento impide que una empresa, banco o prestamista vea un informe de crédito hasta que el dueño de la cuenta verifique su identidad con las agencias de informes de crédito y éstas confirmen que sea el dueño de la cuenta el que esté solicitando crédito y no un farsante. Pueden contactar a cualquiera de estas agencias de informes de crédito para solicitar que se imponga una alerta de fraude o congelamiento de crédito a sus cuentas.

Equifax

www.equifax.com/personal

P.O. Box 105788
Atlanta, GA 30349
888-766-0008

Experian

www.experian.com

P.O. Box 9554
Allen, TX 75013
888-397-3742

TransUnion

www.transunion.com

P.O. Box 2000
Chester, PA 19016
800-680-7289

También pueden contactar a la Comisión Federal de Comercio (FTC, según sus iniciales en inglés), para obtener más información sobre alertas de fraude y congelamientos de crédito y otros recursos para lidiar con el robo de identidad:

Federal Trade Commission

600 Pennsylvania Ave., NW
Washington, DC 20580

877-382-4357 (línea de ayuda al consumidor)|
877-438-4338 (línea de robo de identidad)

www.ftc.gov
IdentityTheft.gov

Las CPS están profundamente dedicadas a la seguridad de la información estudiantil, y esperamos el mismo nivel de atención y compromiso de nuestros proveedores. Las CPS como organización toman medidas proactivas para limitar la exposición mediante el fortalecimiento continuo de nuestras defensas y la inclusión de dictámenes fuertes en contratos con proveedores para asegurar que nuestra información esté protegida. Continuaremos adaptando nuestra postura de seguridad por medio de diligencia y mejoramiento continuos, reduciendo así el riesgo de filtraciones de datos futuras.

Deseo que por favor sepan que la protección de la información personal de sus estudiantes es una prioridad primordial y sinceramente lamentamos cualquier preocupación o inconveniencia que este asunto les cause a ustedes.

Atentamente,

Norman P. Fleming
Director de información
Escuelas Públicas de Chicago

Breach Notification for May 20, 2022

Below is an official notification of a breach involving a CPS vendor, Battelle for Kids.

Families and staff members who were directly impacted by the breach will receive a personalized email notification and/or a personalized letter with important information about the breach, our response, free resources for families and staff to protect personal information, and safeguards put in place to prevent this type of incident in the future.

We have posted a generic copy of that letter here in the following languages:

Note: The Battelle for Kids hotline and identity monitoring enrollment services expired August 21, 2022.

Staff [ ENGLISH ]
Families [ ENGLISH | SPANISH | ARABIC | POLISH | SIMPLIFIED CHINESE | URDU ]

Below the official breach notification, you can find Frequently Asked Questions about this incident.

The date of the breach:

December 1, 2021
The description of the covered information that was compromised:

495,448 student records containing Name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses students took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.

56,138 staff records containing Name, school, employee ID number, CPS email address, Battelle for Kids username, course information from school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.

Please call the toll-free hotline at 833-909-4007 or email BFK-Breach-Info@cps.edu for any additional information.
Toll free numbers and other information for consumer reporting agencies:

Impacted parties can access a free credit report through annualcreditreport.com, a free resource authorized by the federal government. Additionally, the following credit reporting agencies offer a free service allowing you to receive fraud alerts and to freeze access to your or your child’s credit if necessary:
- Experian: www.experian.com/fraud/center.html, or 1-888-397-3742, or P.O. Box 2002, Allen, TX 75013.
- TransUnion: www.transunion.com/fraud-victim-resources, or 1-833-395-6938, P.O. Box 2000, Chester, PA 19022.
- Equifax: www.equifax.com, or 1-888-378-4329, or P.O. Box 740241, Atlanta, GA 30374.
Toll free numbers and other information for the Federal Trade Commission (FTC):

Contact the Federal Trade Commission (FTC) at 1-800-FTC-HELP (1-800-382-4357) or visit the FTC website at https://www.identitytheft.gov/#/Info-Lost-or-Stolen for more information about fraud alerts and security freezes from consumer reporting agencies.

What Happened?

A technology vendor for CPS called Battelle for Kids recently notified CPS that on December 1, 2021, Battelle for Kids was the victim of a ransomware attack on a server used to store CPS student and staff information for school years 2015-2016, 2016-2017, 2017-2018 and 2018-2019. Battelle for Kids is a nonprofit technology organization that stores student course information and assessment data for the purposes of teacher evaluations.

Specifically, an unauthorized party gained access to 495,448 student records which included name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses students took, and student scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019. The unauthorized party also gained access to 56,138 staff records which included name, school, employee ID number, CPS email address, Battelle for Kids username, and information about courses taught during the aforementioned school years. The server did not store any other information about students or staff. No Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses, and no course grades, standardized test scores, or teacher evaluation scores were involved in this incident.

How can I tell if I or my child(ren) were impacted?

CPS is sending personalized emails with the subject line “Notification of Unauthorized Disclosure of Student/Staff Information” to impacted families and staff members about this incident, including former CPS families and former staff who were impacted. In the coming days, CPS will follow up with a personalized physical letter to the last known address of impacted families and staff members, including former CPS families and staff who are no longer with the district. Families will receive one communication per child impacted. We are also notifying families and staff that were not impacted by this incident to provide them with peace of mind.

Some families may have some children who were impacted by the breach and other children who were not. Each notification is personalized to ensure families and staff are aware of exactly who was impacted by the breach.

What can I do to safeguard my information or my child(ren)’s information?

First, you should know that as of this time, there is no evidence to suggest that this data has been misused, posted, or distributed. According to data security experts, including law enforcement, the lack of financial information contained in the data decreases the likelihood that the data will be misused.

Regardless, we know that impacted families and staff may be concerned about fraudulent activity on their behalf or their child(ren)’s behalf.

Impacted families and staff can access a free credit report through annualcreditreport.com, a free resource authorized by the federal government. Additionally, the following credit reporting agencies offer a free service allowing you to receive fraud alerts and to freeze access to your credit if necessary:

Experian - https://www.experian.com/fraud/center.html, or 1-888-397-3742, or P.O. Box 2002, Allen, TX 75013.
TransUnion - https://www.transunion.com/fraud-victim-resources, or 1-833-395-6938, P.O. Box 2000, Chester, PA 19022.
Equifax - https://www.equifax.com, or 1-888-378-4329, or P.O. Box 740241, Atlanta, GA 30374.

We also encourage impacted families and staff to visit the Federal Trade Commission (FTC) website at https://www.identitytheft.gov/#/Info-Lost-or-Stolen for more information about fraud alerts and security freezes from consumer reporting agencies. Impacted families and staff may also contact the FTC at 1-800-FTC-HELP (1-800-382-4357).

What happens if my or my child(ren)’s information is posted on the internet? Will I be notified?

As of this time, there is no evidence to suggest that this data has been misused, posted, or distributed. According to data security experts, including law enforcement, the lack of financial information contained in the data decreases the likelihood that the data will be misused.

Battelle for Kids is currently monitoring and will continue to monitor the internet in case the data is posted or distributed. If the information is posted on the internet, CPS will notify impacted families with next steps and resources to safeguard information. In addition, the identity theft protection and credit monitoring provided by CPS will notify you if your specific information is posted.

We encourage families to always be vigilant and closely monitor financial accounts for fraudulent activity.

What happens if I or my child(ren) are the victims of fraudulent activity or identity theft as a result of this breach?

In the unlikely event that this information is used for fraudulent activity or identity theft, report the activity to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338. The FTC will collect the details of your situation and advise you on next steps.

If the breach happened on December 1, 2021, why were impacted parties notified on May 20, 2022?

CPS received a letter on April 26, 2022 via U.S. Mail from Battelle for Kids which notified us of a security incident involving student data that occurred in December 2021. CPS did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11, 2022.

Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter.

Regardless, our contract with Battelle for Kids states that CPS is to be notified of any data breach immediately. We are addressing the delayed notification and other issues in the handling of data with Batelle for Kids. We are also working to ensure all vendors who use CPS data are handling that data responsibly and securely to prevent this sort of incident from ever happening again.

What steps is CPS taking to prevent this from happening again?

CPS includes strong language in all of our vendor contracts to ensure the protection and security of personal information. We are working to ensure all vendors who use CPS data are handling that data responsibly and securely in compliance with their respective contracts to prevent this sort of incident from ever happening again.

Battelle for Kids has informed CPS that they have taken several mitigation measures to reduce the risk of this type of incident occurring in the future, including a plan for the timely and secure deletion of outdated data, migration to enterprise cloud services, enhanced network security, and the retention of a third-party security firm for up-to-date defenses and industry-leading practices for the ever-evolving needs of cybersecurity.

Have the appropriate authorities been informed of this incident?

Yes. This incident has been reported to and investigated by the appropriate law enforcement authorities, including the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS).

Does Battelle for Kids currently have access to my child’s data?

Battelle for Kids is currently in the process of verifying current class rosters for this school year for the purposes of teacher evaluations. However, please be aware that no current student information was compromised in this incident.

What is a Data Breach?

A breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school.

Parents will be notified of breaches of covered information within 30 calendar days of receipt of notice that a breach has occurred. Notification may be delayed if this would interfere with a criminal investigation. Notification will include, but is not limited to:

The date of the breach
The description of the covered information that was compromised
Information that the parent may use to contact the operator and the school about the breach
Toll free numbers and other information for consumer reporting agencies
Toll free numbers and other information for the Federal Trade Commission (FTC)
A statement that the parent may obtain information from the FTC and consumer reporting agencies about fraud alerts and security freezes.