Hackers have launched a successful cyberattack against schools across the UK and has left confidential information related to pupils leaked online.
In total, 14 schools have been impacted, with the sensitive data stolen including passport details, which were likely needed for trips abroad, as well as contracts and pay scales for members of staff.
As reported by the BBC, the attack took place in 2022 with hacking group Vice Society named as the perpetrators. After refusing to refusing to pay the ransom, the information was posted online.
Vice Society have been known to target educational institutions in the UK and US, with a string of attacks associated to the group taking place recently. For instance, 500 gigabytes of data from the entire Los Angeles Unified School District were stolen and resulted in the FBI issuing an alert on the group’s activities as a warning
Commenting on the news and offering their thoughts and advice are the following cybersecurity professionals:
Erfan Shadabi, cybersecurity expert at comforte AG:
Given the troves of personal information stored within lower and higher education institutions, they will always be a target for cybercriminals. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. Even if you don’t enter your ID, name, address, or even payment details, they can be used to start fraudulent activities. This incident is, however, very serious as many children’s PII was compromised. With an ever-growing attack surface, building just another wall around the institution’s network or a segment of sensitive data is not the best way forward, especially when it comes to phishing attacks that are likely to generate some hits. In the end, if you’re an educational institute, the most important thing to do is to protect your students’ and employees’ data, as well as your precious and highly valuable research, rather than the borders around that information. With modern solutions such as format-preserving encryption or tokenization, you can render useless to hackers any PII (including names, addresses, and IDs) or other data you deem sensitive, even if they manage to penetrate your strengthened perimeters and actually get their hands on it.
Darren Guccione, CEO, Keeper Security:
“This latest incident of Vice Society criminal activity demonstrates why parents and students must make cybersecurity a priority. A password manager is a critical first step that can help them create high-strength, unique passwords for all of their online accounts, applications and systems which will help prevent future attacks and mitigate the risk of sprawl if their information is posted to the dark web and sold. Additionally, they should immediately implement a dark web monitoring service, which will alert them if their stolen credentials and information are available on the dark web. Dark web monitoring will prompt them with an alert in real time so they can take immediate action to protect themselves from a future data breach. Lastly, they should enable two-factor authentication (2FA) on all of their websites and applications that provide this additional protection. 2FA is a powerful and simple way to safeguard accounts from a remote attacker.”
