Schools hit by cyber attack and documents leaked
- Published
Highly confidential documents from 14 schools have been leaked online by hackers, the BBC can reveal.
One of those was Pates Grammar School in Gloucestershire, targeted by a hacking group called Vice Society.
The documents, seen by the BBC, include children's SEN information, child passport scans, staff pay scales and contract details, taken in 2021 & 2022.
A spokesperson for Pates Grammar School said it took the security of its systems and data extremely seriously.
The Vice Society has been behind a high-profile string of attacks on schools across the UK and the USA in recent months.
It allegedly stole 500 gigabytes of data from the entire Los Angeles Unified School District, according to technology website Wired., external
The FBI in America has already released an alert, external on the group's activities.
When data is stolen, Vice Society makes demands for money before leaking the documents if payment is not made.
The documents stolen from Pates Grammar School were comprehensive, with hackers taking documents using generic search terms.
One folder marked "passports" contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked "contract" contains contractual offers made to staff alongside teaching documents on muscle contractions.
Another folder marked "confidential" contains documents on the headmaster's pay, and student bursary fund recipients.
Alongside information from Pates, the BBC found confidential documents purporting to be from the following establishments on Vice Society's website.
Every school on this list has been contacted for comment.
Carmel College, St Helens
Durham Johnston Comprehensive School (hacked in 2021, documents posted online in January 2022)
Frances King School of English, London/Dublin
Frances King said it hadn't notified parents and pupils, but the hack didn't affect teaching and it was reported to their IT company.
Gateway College, Hamilton, Leicester
Holy Family RC + CE College, Heywood
Lampton School, Hounslow, London
Lampton School issued a statement that read: "Teachers were aware of the breach but we did not inform them of the data that was stolen. The ICO did not tell us to notify the data subjects. We blocked remote access to all but a small number of staff with two-factor authentication, and all our passwords have been reset."
Mossbourne Federation, London
Mossbourne Federation said: "Parents, pupils, staff and all concerned were immediately notified and kept up-to-date during the recovery process. We have fully recovered from the cyber-attack and have returned to normal operations."
Pilton Community College, Barnstaple
Samuel Ryder Academy, St Albans
School of Oriental and African Studies, London
St Paul's Catholic College, Sunbury-on-Thames
Test Valley School, Stockbridge
The De Montfort School, Evesham
The De Montfort School declined to comment.
The School of Oriental and African Studies confirmed it was hacked in September 2022, with staff contracts and budget details leaked among some 18,680 other files.
"We notified staff and students of the incident, and while we were able to prevent the incident escalating, it resulted in a small, limited data breach of files on internal storage.
"The individuals affected have been contacted, and we are continuing to offer support as required," a spokesperson said.
Hackers leaked the information on the dark web, a section of the internet often used by criminals.
The dark web is not indexed on regular search engines, and requires specialist browsing software to access it.
Pates' hacking timeline
The hack at Pates is estimated to have taken place on 28 September, when the school emailed parents to say its IT systems and phone lines were down. A few days later the school emailed again with Gmail accounts it had created for parents to contact.
On 7 October, the headteacher emailed again to say its systems were "accessed by an unauthorised third party." Teaching materials, which relied on Microsoft Teams, were affected, and the school said it had notified the Information Commissioners Office (ICO) and police.
At that time, the headmaster wrote: "There is currently no evidence that data has been stolen or published."
Five days later, the school emailed parents again.
The headmaster wrote: "Regrettably, it now appears that some of our data was taken by the criminal organisation and placed on its dark web site, which is not easily accessible and only available to a limited audience with the technical knowledge and ability to access this specific site.
"If we learn that any significant data has been affected in this way, you will be informed and provided with guidance and assistance."
The ICO and Gloucestershire Police confirmed they were investigating the alleged breaches in 2022.
A spokesperson for Pates Grammar School said: "We are currently working closely with cyber-security specialists to conduct a thorough assessment and analysis of this data.
"We are working with highly experienced forensic investigators to secure our systems and resolve the issue.
"We have successfully restored key systems, minimised the disruption to staff and students, and continue to keep the relevant authorities informed of any new developments."
Ross Brewer, chief revenue officer of cyber-security risk management company SimSpace, said: 'We see the education and healthcare sectors being heavily targeted due to their primary focus being on education and care, not cybersecurity.
"They are typically under resourced in the IT function and are easy prey for the hackers that have no heart and are purely motivated by greed.
"The personal information that can be obtained is highly valuable or in some cases embarrassing. Organisations need to train their teams in the safe cyber range environment, so they know what to look for, how to identify gaps in their protection, and how to continually improve their digital hygiene."
Follow BBC West on Facebook, external, Twitter, external and Instagram, external. Send your story ideas to: bristol@bbc.co.uk , external
- Published16 September 2022
- Published15 September 2022
- Published11 November 2022