Earlier this month, the BBC reported that highly confidential documents from 14 schools in the UK had been leaked online by the hacking group, Vice Society.
Vice Society, which is understood to be a Russian-speaking group, has previously targeted other institutions in both the education and healthcare sectors, both in the UK and the US. The ransomware actor is thought to work by exploiting known vulnerabilities to gain access to its victims' systems. According to an FBI alert on the group's activities, Vice Society will then explore the network and exfiltrate data, threatening to publicly release sensitive data unless the victim pays a ransom.
The BBC confirmed that the leaked documents included children's Special Educational Needs information, scans of children's passports and details of staff pay and contracts. In the US, Vice Society released students' Social Security numbers, financial and tax information and health details.
In addition to sensitive information being leaked and the reputational damage that follows with it, schools suffered disruption to their IT systems, telephone lines and teaching materials.
Schools and other educational institutions are, in many ways, easy prey for hackers. They hold highly sensitive and confidential data and may well be under-resourced in terms of cyber security, both in terms of systems and understanding.
The potential for hackers to cause disruption to teaching and learning, as well as accessing (and leaking) confidential data, means that schools should be alive to the risks and take proactive measures to prevent such hacks occurring.
- Identify known vulnerabilities in their systems and mitigate against them
- Regularly review their compliance with data protection law, where necessary by instructing external advisers
- Train staff to recognise phishing attempts and implement a system for reporting them
- Enable multifactor authentication for device and account access, particularly for users with access to highly sensitive information
The reputational damage of a cyberattack can be serious, as cyberattacks are often reported in the mainstream press. Cyberattacks and data breaches may also damage students, parents and employees' trust in the school.
Furthermore, schools should be aware that they have obligations under the UKGDPR in respect of data breaches and in the most severe instances, could be fined by the ICO.