Ex-CPS worker accused of stealing info on 80,000 people in latest data breach
Subscribe for unlimited digital access.
Try one month for $1!
Subscribe for unlimited digital access. Try one month for $1!
A former Chicago Public Schools worker faces several felony charges after officials allege the worker stole personal information on about 80,000 employees, volunteers and vendors from a CPS database.
The former worker, Kristi Sims, was arrested Thursday; officers recovered the stolen files after executing search warrants, according to CPS and Chicago police officials. Sims, 28, is a former contractor who handled administrative tasks for the Office of Safety and Security.
Sims was ordered released on her own recognizance at a bond hearing Friday at the Leighton Criminal Court Building by Judge Sophia Atcherson; Sims also was ordered not to access to the internet while the case continues.
In a letter to employees Thursday evening, CPS Chief Operating Officer Arnie Rivera said the district learned of the massive data breach Wednesday, the day after the information was stolen.
Among the data stolen were names, employee ID numbers, phone numbers, addresses, dates of birth, criminal arrest histories and DCFS findings. Social Security numbers were not taken, Rivera said.
“There was no indication that the information, which was in the individual’s possession for approximately 24 hours, was used or disseminated to anyone in any way,” Rivera added.
A CPS spokesman referred questions about the criminal charges to Chicago police, but Rivera said “CPS will work to ensure the individual is prosecuted to the fullest extent of the law.”
CPD spokesman Anthony Guglielmi said Sims is also suspected of deleting the targeted files from the CPS database after they were stolen.
The digital equipment seized in the warrant is being analyzed, and a search warrant is underway for Sims’s email account, Guglielmi said. Though police say they don’t believe anyone other than Sims was in possession of the data, they hope to learn more about what might have been done with the information.
Sims, of southwest suburban Hickory Hills, faces four counts of aggravated computer tampering and three counts of identity theft, according to police.
Assistant State’s Attorney Tom Simpson said Sims was terminated by the contractor that employed her. The firing was due to performance issues, Simpson added, but the contactor then did not remove her access to the Board of Education’s Google Drive account. Sims is accused of accessing the Google Drive account from a remote location, Simpson said.
Sims’ access to the drive after her termination was discovered by tracking her unique username and password, Simpson said. She was initially hired to help organize the Board of Education’s cloud accounts and conduct background checks on employees and volunteers.
In asking the court to order her not to use the internet, Simpson said he understood the request was “onerous,” but said prosecutors felt it was necessary to ensure Sims did not try to access the Google Drive account again.
A defense attorney for Sims, Kevin Peters, said she was a lifelong resident of Chicago who had never been arrested before. Several family members attended court in support of her but declined to comment after the hearing.
“I don’t know how anyone would manage to get by in this day and age without [access to the internet],” Peters said. Judge Atcherson said the order could be revisited at Sims’ next scheduled court appearance on Nov. 26.
This latest CPS data breach comes only a few months after the school district mistakenly sent a mass email that linked to the private information of thousands of students and families.
The email invited families to submit supplemental applications to selective enrollment schools. Attached at the bottom of the email was a link to a spreadsheet with the personal data of more than 3,700 students and families.
In that incident, CPS apologized for the “unacceptable breach of both student information and your trust” and asked recipients of the email to delete the sensitive information. The data included children’s names, home and cellphone numbers, email addresses and ID numbers.