Education at Risk: How Chicago-Area Schools Are Facing the Data Security Crisis

In an era where classroom attendance and cloud computing go hand in hand, educational institutions in the greater Chicago area are facing an urgent new challenge: keeping their data secure. Whether it’s K-12 schools, charter networks, or world-renowned universities, many educational organizations are struggling to safeguard their sensitive information from cyber threats.

From grade reports to financial aid applications, the amount and sensitivity of data schools manage have increased dramatically. But so have the risks. As more systems move online, vulnerabilities in how that data is stored can leave students, staff, and institutions open to serious breaches.

What Kind of Data Is at Stake?

Educational organizations handle a vast range of information:

• Student records: Names, addresses, grades, behavioral reports, IEPs, health information
• Staff data: Payroll files, Social Security numbers, employment history
• Financials: Donor databases, tuition payments, scholarships, grant management
• Credentials: Logins to LMS platforms (Google Workspace, Canvas, Microsoft 365)
• Research: Proprietary projects, especially in higher education

All of this data has value—to attackers. And when it’s not adequately protected, the fallout can be devastating.

Where the Vulnerabilities Lie

Despite their reliance on digital systems, many schools continue to use outdated infrastructure or loosely managed cloud services. Common issues include:

• Unsecured data storage: Files left on unencrypted drives or open networks
• Lack of centralized control: Faculty using their own devices or software without IT oversight (“shadow IT”)
• Inconsistent backup practices: Losing access to important data after ransomware or accidental deletion
• Poor password hygiene: Shared logins or reused passwords among staff
• Unpatched systems: Old software left vulnerable to known exploits

These gaps provide an easy path for attackers—and the education sector is increasingly in their sights.

Real-World Risks: Chicago Schools and Universities Under Attack

The threats are no longer hypothetical. Recent breaches have impacted major educational institutions across the Chicago area.

According to the Chicago Sun-Times, in May 2024, the University of Chicago Medicine disclosed that an email-related incident may have exposed the personal information of about 10,300 individuals. The breach was linked to unauthorized access to employee email accounts, highlighting the growing risks of phishing and email compromise, even at well-resourced academic institutions.

Meanwhile, Chicago Public Schools (CPS) has faced several student data breaches in recent years. Under the Student Online Personal Protection Act (SOPPA), CPS maintains a public breach notification log. One of the most recent breaches, shared by NBC Chicago on March 7, 2025, involved a CPS vendor, Cleo. While details are still emerging, CPS confirmed that Cleo was involved in a breach impacting student information, reinforcing how third-party vendors can introduce serious vulnerabilities into school systems. CPS provides a breach notifications page that provides resources and recommendations for families.

These breaches not only threaten student privacy and institutional trust, but can lead to costly remediation, legal challenges, and compliance penalties.

The Risks Schools Can’t Ignore

Let’s break down the most pressing threats:

• Ransomware: Schools have had entire systems locked down, forced to pay ransoms just to recover access to attendance or grading systems.
• Phishing attacks: Cybercriminals impersonate faculty or vendors, tricking staff into handing over credentials or initiating wire transfers.
• Data exfiltration: Quiet theft of student and employee data can lead to identity theft or reselling on the dark web.
• DDoS attacks: Particularly disruptive during test weeks or enrollment periods.
• Regulatory consequences: FERPA and HIPAA violations can result in major fines or loss of accreditation.

Why Chicago Schools Are Especially Vulnerable

From large institutions like the University of Illinois at Chicago to small private academies and charter networks, the region’s education landscape is diverse—but IT maturity varies widely.

Several local factors contribute to the risk:

• Budget constraints: IT teams are often underfunded or overstretched
• Remote learning expansion: Since the pandemic, students and teachers access systems from more devices and locations, expanding the attack surface
• Decentralized tech: Teachers and departments using their own platforms without IT visibility or control
• Pressure to innovate: Adoption of edtech tools often outpaces security reviews and training

What Schools Can Do: 5 Smart Security Moves

Chicago-area educational organizations don’t need six-figure budgets to improve their defenses. Here are five essential steps:

1. Conduct a data audit: Identify what data is stored, where it resides, and who has access to it.
2. Implement Multi-Factor Authentication (MFA) and Single Sign-On (SSO): Protect accounts even when passwords are compromised.
3. Encrypt all sensitive data: Both in transit and at rest, especially on staff and student devices.
4. Develop an incident response plan: Define who to notify, how to contain the breach, and how to comply with SOPPA, FERPA, and other laws.
5. Train staff and students: Provide age-appropriate cybersecurity education, including how to recognize phishing and secure file sharing.

Choosing the Right Storage Approach: Cloud, On-Premises, or Hybrid?

A critical decision for IT leaders is how to store and secure sensitive information. The three most common models each have their pros and cons:

• Cloud storage is scalable and accessible but relies on strong vendor security and internet availability.
• On-premises storage provides greater control but requires infrastructure, space, and ongoing maintenance.
• Hybrid storage combines both, offering flexibility and backup redundancy.

Local Support for Chicago-Area Schools

Educational institutions in the region can take advantage of:

• Illinois Department of Innovation & Technology (DoIT): Offers cybersecurity tools and policy support
• Chicago Public Schools Security Resources: CPS publishes breach notices and offers SOPPA guidance
• Consortiums and Co-ops: Illinois Learning Technology Purchase Program (ILTPP) and other groups offer secure edtech procurement
• Local MSPs: Many offer tailored cybersecurity services for schools at scalable pricing

The Path Forward: Security as a Learning Standard

Cybersecurity isn’t just an IT issue anymore—it’s an educational one. Data protection needs to become part of a school’s overall mission to provide safe, equitable access to learning.

Just as we lock our classroom doors and verify campus visitors, we must defend our networks and secure our digital assets. When breaches occur, they affect real lives: students, families, educators, and the integrity of education itself.

Schools in the greater Chicago area must prioritize cybersecurity as a critical investment. That means evaluating how data is stored, enforcing smart policies, and working with knowledgeable partners who understand the unique needs of education.