UK schools' confidential data leaked on the dark web

UK schools' confidential data leaked on the dark web

Image:
UK schools' confidential data leaked on the dark web

Threat group Vice Society is allegedly the leak of data from 14 schools

Hackers have published highly confidential data from 14 schools, including students ' personal details, on the dark web.

The BBC claims to have seen leaked documents that included children's passport scans, SEN details and contract information. This data was stolen from Pates Grammar School in Gloucestershire, which was hit with a cyberattack from hacking group called Vice Society last year.

According to BBC, the files stolen from Pates Grammar School were comprehensive, and hackers used generic search terms to find the data.

Passport scans for students and parents on school trips going back to 2011 are kept in a folder labelled "passports." Another folder labelled "contract" contains contractual offers made to personnel, along with some teaching documents. Documents about the headmaster's salary and the beneficiaries of the student bursary fund are kept in a separate folder labelled "confidential."

The Pates breach is believed to have occurred on September 28, when the school contacted parents to inform them that both its phone lines and IT systems were down.

A few days later, the school emailed again, this time providing Gmail accounts for parents to contact.

In addition to the Pates' documents, the BBC discovered confidential data purportedly from the following institutions on the website of Vice Society, the suspected attacker:

• Carmel College, St Helens

• Durham Johnston Comprehensive School

• Frances King School of English, London/Dublin

• Gateway College, Hamilton, Leicester

• Holy Family RC + CE College, Heywood

• Lampton School, Hounslow, London

• Pilton Community College, Barnstaple

• Samuel Ryder Academy, St Albans

• School of Oriental and African Studies, London

• St Paul's Catholic College, Sunbury-on-Thames

• Test Valley School, Stockbridge

• The De Montfort School, Evesham

Lampton School said in a statement that teachers were informed of the hack but "we did not inform them of the data that was stolen."

"The ICO [Information Commissioner's Office, the UK data protection watchdog] did not tell us to notify the data subjects. We blocked remote access to all but a small number of staff with two-factor authentication, and all our passwords have been reset," it added.

The Mossbourne Federation in London stated that parents, students, staff, and others who could be affected were quickly alerted and kept up to date throughout the recovery process: "We have fully recovered from the cyber-attack and have returned to normal operations."

The School of Oriental and African Studies said it suffered a cyberattack in September 2022, in which hackers stole some 18,680 files, including budget data and staff contracts.

"We notified staff and students of the incident, and while we were able to prevent the incident escalating, it resulted in a small, limited data breach of files on internal storage," a spokesperson said.

"The individuals affected have been contacted, and we are continuing to offer support as required."

The ICO and Gloucestershire Police confirmed they were investigating the alleged breaches.

Vice Society

Vice Society is a cybercrime group that has been aggressively targeting the educational institutions in several countries, including the UK and the USA. The group exploits known vulnerabilities to compromise victims' systems.

In an earlier campaign, it stole and published data obtained from the Los Angeles Unified School District (LAUSD). Following the incident, the FBI issued a warning that the group was mainly targeting schools.

Last month, the gang claimed that it had published confidential personal data of Xavier University students and employees when the Ohio university refused to pay its ransom demands.

The threat group releases data on the dark web, an area of the web that is not indexed by search engines. Any cyber actor on the dark web may obtain stolen information and use it for their own purposes, including selling it to others.