Published By
Created On
22 May 2022 01:39:27 UTC
Transaction ID
Cost
Safe for Work
Free
Yes
Ransomware attack exposes data of 500,000 Chicago students
Ransomware attack exposes data of 500,000 Chicago students
The Chicago Public Schools has suffered a massive data breach that exposed the data of almost 500,000 students and 60,000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December.
Ohio-based Battelle for Kids is a not-for-profit educational organization that analyzes student data shared by public school systems to design instructional models and evaluate teacher performance.
Battelle for Kid says they work with 267 school systems, and its programs have reached over 2.8 million students.
Top Articles
READ MORE
READ MORE Massive data breach for Chicago Public Schools Yesterday, the Chicago Public School (CPS) district disclosed that a December 1st ransomware attack on Battelle for Kids exposed the stored data of 495,448 students and 56,138 employees in its school system.
According to a CPS, the school system partners with Battelle for Kids to upload student course information and assessment data for teacher evaluations.
CPS says that the data stored on Battelle for Kids' servers was for school years 2015 through 2019 and exposed students' personal information and assessment scores.
"Specifically, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019," explains the CPS student data breach notification.
For staff, the threat actors potentially accessed their name, school, employee ID number, CPS email address, and Battelle for Kids username during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.
CPS says that no Social Security Numbers, home addresses, health data, or financial information was exposed in the attack.
CPS is providing free credit monitoring, and identity theft protection to any students or staff members impacted.
Instructions on how to access this free credit reporting can be found on the CPS data breach page created by the school system.
Over four months to disclose breach In April, Ohio school districts began issuing data breach notifications warning students and staff that their data was exposed in the ransomware attack on Battelle for Kids.
Even though CPS' says their contract with Battelle for Kids requires immediate notification of a data breach, they first learned about the breach four months later, on April 26th, 2022.
However, it was not until May 11th that they first learned which specific students or staff had their data exposed.
"Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter," explains CPS on their data breach page.
While it is not known what ransomware gang is behind this attack, all groups leave ransom notes behind on encrypted devices that include email addresses or links to ransom negotiation sites.
Example ransom note listing stolen data As part of the extortion process, ransomware gangs commonly provide proof that they stole data by sharing a list of all the stolen folders and sometimes sharing individual files as proof.
When a victim refuses to pay a ransom, the threat actors publicly disclose that they attacked the victim and begin leaking their stolen data.
There has been no public disclosure by a ransomware gang stating that they breached Battelle for Kids, possibly indicating that Battelle for Kids paid a ransom demand.
A similar but unrelated data breach was disclosed by the New York City Department of Education in March, where a vendor's cyber attack exposed the data of 820,000 students.
BleepingComputer has contacted Battelle for Kids with questions but has not heard back at this time.
Author
Content Type
Unspecified
video/mp4
Language
English
Open in LBRY
More from the publisher
LANG_en_oasplatformvulnerabletocriticalrceandapiaccessflawsmp4
OAS platform vulnerable to critical RCE and API access flaws
Threat analysts have disclosed vulnerabilities affecting the Open Automation Software (OAS) platform, leading to device access, denial of service, and remote code execution.
The OAS platform is a widely used data connectivity solution that unites industrial devices (PLCs, OPCs, Modbus), SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.
It is a versatile and flexible hardware and software connectivity solution that facilitates data transfers between proprietary devices and apps from multiple vendors and connects them to firm-specific products, custom software, etc.
Top Articles
READ MORE
Intuit warns of QuickBooks phishing threatening to
suspend accounts Overview of the OAS platform OAS is used by Michelin, Volvo, Intel, JBT AeroTech, the U.S. Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and several other high-profile industrial entities.
As such, vulnerabilities in the platform can put crucial industrial sectors at risk of disruption and confidential information disclosure.
Critical flaws According to a report by Cisco Talos, OAS platform version 16.00.0112 and below is vulnerable to a range of high and critical severity bugs that create the potential for damaging attacks.
Starting with the most critical of the bunch, CVE-2022-26833 has a CVSS severity rating of 9.4 out of 10 and concerns the unauthenticated access and use of the REST API functionality in OAS.
An attacker could trigger the exploitation of this flaw by sending a series of specially crafted HTTP requests to the vulnerable endpoints.
As Cisco explains, the REST API is designed to give programmatic access for configuration changes and data viewing to the “Default” user, which Talos researchers were able to authenticate by sending a request with a blank username and password.
Authenticating without using any credentials
(Cisco) The second critical flaw is CVE-2022-26082, rated at 9.1, which is a file write vulnerability in the OAS Engine SecureTransferFiles module.
According to Cisco, a specially-crafted series of network requests sent to the vulnerable endpoint may lead to arbitrary remote code execution.
“By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user.
By default, these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.” - Cisco Talos This enables a remote threat actor to upload new authorized_keys files to the oasuser’s .ssh directory, making it possible to access the system via ssh commands.
The other flaws discovered by Cisco Talos are all categorized as high-severity (CVSS: 7.5) and are the following: CVE-2022-27169: obtain directory listing via network requests
CVE-2022-26077: information disclosure targeting account credentials
CVE-2022-26026: denial of service and loss of data links
CVE-2022-26303 and CVE-2022-26043: external configuration changes and creation of new users and security groups Cisco provides mitigation advice for each of the above vulnerabilities, which involves disabling services and closing communication ports, so if upgrading to a newer version of OAS is impossible, there might be a solution with some functionality or convenience trade-offs.
Otherwise, upgrading to a more recent version of the OAS platform would be advisable.
The security fixes for the two critical flaws described above landed in version 16.00.0.113, which was released as a security update on May 22, 2022.
Upgrade lags are to be expected in industrial environments that operate intricate and complicated data connectivity systems, but in this case, due to the severity of the disclosed flaws, it is crucial to take immediate action.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English