A ransomware group called Vice Society has leaked a large amount of personal data belonging to students and staff at 14 UK schools and universities. The data reportedly includes scanned passport details for school trips, children's special educational needs information and staff payroll and contract details. Hackers, according to the BBC, published confidential data from 14 schools on the dark web, including students' personal details such as passport scans, SEN details, and contract information.
The schools impacted include Pates Grammar School in Gloucester, Carmel College in St Helens, Durham Johnston Comprehensive School, Frances King School of English in London and Dublin, Gateway College in Hamilton, Leicester, Holy Family RC and CE College in Heywood, Lampton School in Hounslow, London, Mossbourne Federation in London, Pilton Community College in Barnstaple, Samuel Ryder Academy in St Albans, School of Oriental and African Studies (SOAS) in London, St Paul's Catholic College in Sunbury-on-Thames, Test Valley School in Stockbridge and The De Montfort School in Evesham.
It is not known whether any of the schools have paid a ransom.
The Information Commissioner's Office (ICO) has been informed of the incidents. Chris Vaughan, AVP, EMEA, Tanium shared how education institutions should approach fortifying their cyber defenses to avoid becoming a similar type of victim:
"This attack is another reminder of how cyber attackers are becoming increasingly more targeted and sophisticated with their methods of attack. If sensitive school data falls into the hands of malicious actors, there is no control on where the data might end up and what it might be used for. It’s vital that education institutions are aware of the simple steps that can be put in place to avoid a data breach from occurring.
This includes ensuring that they have a complete view of the devices connecting to their IT environment and securing cloud networks to block unauthorized access to pupil and staff data. This will help them identify any weaknesses that could increase the likelihood of a cyberattack being successful, such as unpatched devices or IT users adopting risky behaviors. Another measure that will help negate these attacks is a thorough cybersecurity training program for staff. This may seem obvious, but many security breaches start with a user clicking on a malicious link – often in a phishing email. With such sensitive data being stored, it is an essential requirement for organizations to follow these steps, to have greater visibility and control over their data and minimize the likelihood of breaches occurring again.
In summary, it is imperative that schools adopt best practices in cybersecurity by ensuring they have complete visibility and management of the devices connected to their networks. However, a lack of skilled resources makes it difficult to achieve this and to address the other requirements of a successful cyber security program.” ###