A Chicago Public Schools (CPS) employee will be removed from their position after accidentally sending a mass email that included a link to a confidential spreadsheet on Friday evening, 15 June. The email exposed the private data of 3,700 students and families, according to the Chicago Tribune. The link, which wasn’t removed until Saturday morning, revealed students’ names, email addresses, phone numbers and student ID numbers.
Affected families were notified via the following email:
EMAIL TO FAMILIES: 7/15/2018
Earlier today, in an unacceptable breach of both student information and your trust, we mistakenly included your private student and family information in an email to you and more than 3700 other families who were invited to submit supplemental applications to selective enrollment schools.
We sincerely apologize for this unintended disclosure and ask that you please delete the information in question.
We are taking this matter very seriously, and a review of this incident is underway to determine how this breach occurred and ensure a similar matter does not occur again. Additionally, we will be removing the responsible employee from their position because violating your privacy is unacceptable to the district.
If you would like to speak with someone regarding this matter, please contact 773-553-2060.
CPS Office of Access and Enrollment
While the error will cost the employee their job, there is a greater question of liability as the employee was able to access a file stored on Blackboard that contained sensitive information without any required login.
CPS reportedly had initially believed that the file was an attachment, and it asked parents to delete the file. “So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard,” according to DataBreaches.net.
In an email to Infosecurity Magazine, CPS wrote, “To ensure no one else is able to pull down the improperly disclosed information, CPS had the sensitive file pulled from the network so that no one could retrieve it again. We also asked anyone who downloaded the data to remove it from their system.”
“To help ensure an improper disclosure of this nature does not occur again, we immediately put in place additional technical restrictions regarding personnel who can send messages of this nature,” CPS continued. “Moving forward, we are exploring additional technical safeguards that would help prevent data of this nature from being disclosed.”