Student names, birth dates compromised in data breach affecting suburban school districts

Editor's note: This article has been updated to correct the email address to contact about free credit monitoring.

At least four large suburban school districts are among roughly 13,000 account holders of an educational assessments company affected by a data breach, officials say.

The first and last names of students, and in some cases their dates of birth, were affected by what Pearson Clinical Assessments describes as "unauthorized access" to information in its AIMSweb 1.0 program.

The names and school emails of staff members also were affected.

Naperville Unit District 203, Indian Prairie Unit District 204, St. Charles Unit District 303 and Geneva Unit District 304 all have notified community members of the breach and provided information on free credit monitoring Pearson is making available to affected students or staff members through Experian.

Pearson spokesman Scott Overland said the company is not making its list of all affected customers public, so districts whose data was accessed can inform students and parents according to their own policies.

"While we have no evidence that this information has been misused, we have notified the affected customers as a precaution," Overland said in a written statement.

Sinikka Mondini, executive director of communications for Naperville Unit District 203, said the district is encouraging students and parents who have called with privacy concerns to use the free credit monitoring, despite the fact dates of birth were included only "in very rare cases," and other identifying details, such as social security numbers, were not involved.

"Every data breach is concerning," Mondini said. "But there was no truly sensitive information given."

Pearson told affected districts that data was breeched from the 2001 through 2016 school years. Names and potentially birth dates of 3,700 students in District 203, 49,000 students in District 204; 3,206 students in District 303; and about 8,000 in District 304 were involved in the breach, along with names and school email addresses of 800 staff members in District 203, 2,300 staff members in District 204, 338 staff members in District 303 and 400 staff members in District 304.

Mondini said the totals depend on how widely each district used the AIMSweb 1.0 software, which she described as a "testing tool to benchmark students."

Some districts used it to track test performance for all students in all grade levels, she said.

A new version of the software has been available since the 2016-17 school year and was unaffected by the breach.

"We were using it with special populations to track growth," Mondini said about the 1.0 version.

District 303, however, no longer uses Pearson's services, spokeswoman Carol Smith said, making it difficult to pinpoint exactly which students -- current or former -- were affected.

To determine whether they were included in the breach, District 303 encourages students, parents and workers to call the assessment office at (331) 228-4919. As of Thursday morning, eight had.

In letters to their communities, affected districts said they take data security seriously.

"Only the most limited data is provided to vendors for required services," districts 203, 204 and 303 said in their statements. "Contracts with outside vendors are closely vetted to ensure measures are in place at all times to safeguard that data."

To access free credit monitoring, anyone affected can call (866) 883-3309 or email aimsweb1request@pearson.com.