Mishcon de Reya page structure
Site header
Main menu
Main content section
Person's hands on laptop in dark room

Cyberattacks against schools: what you need to know

Posted on 31 January 2023

Earlier this month, the BBC reported that highly confidential documents from 14 schools in the UK had been leaked online by the hacking group, Vice Society.

Vice Society, which is understood to be a Russian-speaking group, has previously targeted other institutions in both the education and healthcare sectors, both in the UK and the US. The ransomware actor is thought to work by exploiting known vulnerabilities to gain access to its victims' systems. According to an FBI alert on the group's activities, Vice Society will then explore the network and exfiltrate data, threatening to publicly release sensitive data unless the victim pays a ransom.

The BBC confirmed that the leaked documents included children's Special Educational Needs information, scans of children's passports and details of staff pay and contracts. In the US, Vice Society released students' Social Security numbers, financial and tax information and health details.

In addition to sensitive information being leaked and the reputational damage that follows with it, schools suffered disruption to their IT systems, telephone lines and teaching materials.

Schools and other educational institutions are, in many ways, easy prey for hackers. They hold highly sensitive and confidential data and may well be under-resourced in terms of cyber security, both in terms of systems and understanding.

The potential for hackers to cause disruption to teaching and learning, as well as accessing (and leaking) confidential data, means that schools should be alive to the risks and take proactive measures to prevent such hacks occurring.

Schools should:

  • Identify known vulnerabilities in their systems and mitigate against them
  • Regularly review their compliance with data protection law, where necessary by instructing external advisers
  • Train staff to recognise phishing attempts and implement a system for reporting them
  • Enable multifactor authentication for device and account access, particularly for users with access to highly sensitive information

The reputational damage of a cyberattack can be serious, as cyberattacks are often reported in the mainstream press. Cyberattacks and data breaches may also damage students, parents and employees' trust in the school.

Furthermore, schools should be aware that they have obligations under the UKGDPR in respect of data breaches and in the most severe instances, could be fined by the ICO.

Related Content
News

Prayer ban in school deemed lawful by the High Court

News

Navigating exam season in UHNW families: Antonia Felix and Rebecca Lachno for Tatler

person typing on keyboard News

127 million data subjects' financial records "breached" in last five years

News

The Graduate visa: top tips to avoid common pitfalls, and a look at what's to come

Mishcon de Reya client lounge lights News

Mishcon de Reya advises on the minority investment into Exam Papers Plus, by Tresmares Capital

News

Using artificial intelligence in cybersecurity technologies: total defence or best defence?

News

The Legal 500 UK 2024

Africa House Doors News

Pathways to Law 2023

News

University boycotts and the rights of students

abstract-purple News

Professor Arif Ahmed appointed as the director for freedom of speech and academic freedom at the Office for Students

Books stacked next to laptop on desk News

Free speech bill and Higher Education: James Murray for Times Higher Education

News

Our response to the Office for Students consultation on tackling harassment and sexual misconduct in higher education

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else