Sensitive data from more than a dozen UK schools has been stolen in a ransomware attack, the BBC has reported.
The compromised information includes children’s special education needs, passport scans, staff pay scales and contract details.
Initial reports indicated that no data had been exfiltrated in the attacks, which began in September 2022. However, one of the first schools to fall victim – Pates Grammar School in Gloucester – later emailed parents to tell them this was not the case.
It’s unclear how much data was stolen in total or whether any of the affected schools paid the cyber criminals’ ransom.
The other schools compromised in the attack were:
- Carmel College (St Helens);
- Durham Johnston Comprehensive School;
- Frances King School of English (London and Dublin);
- Gateway College (Leicester);
- Holy Family RC and CE College (Heywood);
- Lampton School (Hounslow);
- Mossbourne Federation (London);
- Pilton Community College (Barnstaple);
- Samuel Ryder Academy (St Albans)
- School of Oriental and African Studies (London);
- St Paul’s Catholic College (Sunbury-on-Thames);
- Test Valley School (Stockbridge); and
- The De Montford School (Evesham).
A spokesperson for Pates Grammar School told the BBC it was working with forensic specialists to investigate the incident and secure its systems. Spokespeople for three other affected schools responded to requests for comment.
Lampton School issued a statement that read: “Teachers were aware of the breach but we did not inform them of the data that was stolen. The ICO [Information Commissioner’s Office] did not tell us to notify the data subjects.
“We blocked remote access to all but a small number of staff with two-factor authentication, and all our passwords have been reset.”
Mossbourne Federation had a similar experience, with a spokesperson saying: “Parents, pupils, staff and all concerned were immediately notified and kept up-to-date during the recovery process. We have fully recovered from the cyber-attack and have returned to normal operations.”
Meanwhile, the School of Oriental and African Studies revealed that it has lost almost 19,000 files in the attack.
“We notified staff and students of the incident, and while we were able to prevent the incident escalating, it resulted in a small, limited data breach of files on internal storage.
“The individuals affected have been contacted, and we are continuing to offer support as required,” the school confirmed.
The attack was perpetrated by the notorious ransomware gang Vice Society, which specialises in intrusions on the education sector. It was responsible for last year’s attack on the Los Angeles School District, one of the largest cyber attacks ever seen against the sector.
That attack crippled the network used by more than 1,000 schools and resulted in 500 gigabytes of data being compromised.
In that incident, Vice Society held the school district to ransom for an unknown sum, and when negotiations stalled, it leaked the information online.
This is a growing trend in the cyber crime industry, and has been dubbed ‘double extortion’. The victim can now not simply rebuff the ransom demand, delete its infected files and rebuild its systems from backups.
The practice had become more common as organisations anticipated the growing threat that ransomware posed, and the difficulties that come with paying off their attackers. There is no guarantee that the criminals would keep their word and hand over the decryption keys once they received their money.
Furthermore, it still takes considerable time to decrypt systems and get back to business after an attack, plus there is the moral issue of negotiating with cyber criminals. By paying up, you are encouraging – and probably even funding – future attacks.
Cyber criminals responded to this by upping the stakes: pay up or we will leak your customers’ personal data online. This approach creates added risks for victims, who face a reputational disaster if stakeholders’ information is compromised.
Yet, many victims remain steadfast in their refusal to negotiate. And for good reason. Once an intrusion has occurred, the information is already breached and there is little to be gained from paying the attackers to prevent the information being leaked online.
With Vice Society leaking the stolen data again in the latest attack, it suggests that at least some of the affected schools refused to pay up.
The ICO has confirmed that it is investigating this incident, which could result in GDPR (General Data Protection Regulation) fines.
It’s currently unclear how the cyber criminals managed to infiltrate the schools, and therefore the extent to which the victims were at fault. In many cases, ransomware makes its way onto victims’ systems via phishing emails, with the malware hidden in an attachment that the recipient is encouraged to open.
Ransomware attacks are also commonly launched by exploiting system vulnerabilities that enable cyber criminals to gain direct access to an organisation’s internal systems.
If the ICO discovers that the attacks occurred in either of these ways, the affected schools could face strict enforcement action and a financial penalty.
The GDPR and its UK version give supervisory authorities the power to issue fines of up to €20 million/£17.5 million or 4% of its annual global turnover (whichever is greater), but penalties of that scale are reserved for extreme cases.
However, even a comparatively lenient fine will have significant consequences, which is why it’s essential for organisations to ensure that their data protection practices are adequate.
Not only will it mitigate the risk of fines, but it will also help avoid data breaches and the reputational damage that accompanies them.
The GDPR has been in effect for almost five years now, but many organisations are still struggling to come to terms with its requirements. With incidents of data breaches skyrocketing and regulatory enforcement increasing each year, anyone who fails to maintain compliant practices could soon face a disastrous scenario.
Many organisations never recover from the damage that a data breach causes, which is why we urge everyone to prioritise information security. GDPR.co.uk provides specific, tailored data protection compliance support for schools, ensuring that you get the support you need.
With our GDPR for Schools platform, you’ll discover how to perform essential data protection practices, such as data protection impact assessments, staff awareness training and incident reporting.
The GDPR’s compliance requirements give organisations a framework for managing data protection risks, and organisations that meet its rules are in an ideal position to mitigate an array of risks.
Our tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.