At a glance.
- Chicago public schools affected by third-party ransomware attack.
- Nikkei's ransomware incident.
- Privacy implications of doorbell cameras.
Third-party vendor ransomware attack leads to breach of Chicago Public Schools.
Chicago Public Schools (CPS), located in the US state of Illinois, has disclosed that a breach exposed the data of nearly 500,000 students and 60,000 employees. The Chicago Tribune reports that the incident is the result of the December ransomware attack suffered by vendor Batelle for Kids, an Ohio-based not-for-profit that CPS has enlisted for student data analysis and teacher performance evaluation. According to CPS, the compromised data includes student dates of birth, gender, grade level, ID numbers, and course details, as well as staff names, employee ID numbers, and CPS email addresses. “There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses, and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident,” CPS stated. “Also, at this time, there is no evidence to suggest that this data has been misused, posted, or distributed.”
WGN-9 reports that Batelle released a statement about the attack explaining, “We immediately engaged a national cybersecurity firm to assess the scope of the incident and took steps to mitigate the potential impact. We have recently received findings and notified all impacted school systems.” Batelle added that much of the compromised data was legacy or archive data from past years. Bleeping Computer notes that even though CPS’s contract with Battelle for Kids requires immediate notification of a data breach, the district first learned about the breach four months after it occurred, and it wasn’t until May that they were told which specific students or staff were impacted. "Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter," CPS stated.
Chris Hauk, consumer privacy champion, Pixel Privacy, noted that the incident seems to have affected both students and faculty. “This data breach appears to have affected both students and faculty equally. While no social security information, home addresses, or financial information was reportedly exposed, enough data was exposed that would provide a leg up for bad actors looking to gain additional information. Students and faculty must remain on the alert for any phishing attempts that use the gleaned information to acquire additional info.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, sees the incident as an instance of a larger trend. “Ransomware attacks have become a growing threat to education centers across the United States. Schools are becoming more dependent on a computing infrastructure to support their daily functions, and they also hold a vast amount of sensitive information. This provides criminals with high-profile targets to infiltrate and hold data for ransom or steal and sell it," he wrote. "School districts and universities need to understand that they are high-profile targets, and they need to assume that a cyber-attack is imminent. With that in mind, as the first step, they need to invest in a dynamic security awareness training program for both faculty and students so they can better identify security risks such as phishing emails and suspicious links. And then, they need to protect their data not just with enhanced perimeter security but with data-centric security such as tokenization applied directly to that data. Only robust data-centric security can help mitigate the situation if the wrong hands get ahold of sensitive data.”
Nikkei suffers ransomware attack.
Nikkei Group, one of the world’s largest financial news outlets, announced that its Asia headquarters in Singapore experienced a ransomware attack on May 13. The Japanese company owns the Nikkei, considered the largest financial newspaper in the world, and the Financial Times. Though the company says no data leak has been confirmed, the impacted server “likely contained customer data” and investigators are working to determine “the nature and scope” of the attack. The Record by Recorded Future notes that the attack is the latest of several incidents impacting news outlets in recent years, as US media conglomerate Cox Media Group suffered a crippling ransomware attack in June 2021, and this January the Lapsus$ extortion gang attacked Portuguese media conglomerate Impresa.
Do doorbell cameras do more harm than good?
Wired explores the privacy questions raised by the ever-growing use of residential surveillance cameras. Security cameras like the massively popular Ring are becoming ubiquitous; in just the month of December 2019, Amazon sold 400,000 Ring cameras, bringing the total number of such devices in circulation into the millions. While homeowners purchase the cameras to give them a sense of security, critics are concerned about the increase of programs in which police request surveillance cam footage to aid them in investigations, and they also worry that the cameras could unnecessarily increase our fear of crime.
Doorbell camera content has become so popular that it has even become a source of entertainment on social media platforms like TikTok and Instagram, and as often the subjects caught on camera are disproportionately people of color or individuals suffering from mental health crises, addiction, or poverty, some experts wonder if the cameras are doing more harm than good. Technically there’s no legal issue with publishing security camera footage, as a homeowner has the right to record anything on their property, and Ring warns users against using footage in a manner that is “harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable,” but it’s up to the user’s discretion to ensure they are not violating any local privacy laws.