A Herefordshire Secondary School headteacher has sent a letter to parents to advise them that student data has been leaked following a cyber attack on the school.
The Bishop of Hereford’s Bluecoat School sent the following letter to parents earlier this week.
As you will know from a previous letter I wrote to you, in October we were the victims of a cyber-attack on the school’s IT system which caused significant disruption. We have been working hard and now have the IT system back up and running successfully.
We were recently made aware that as a result of the cyber-attack, there has been a breach of some school information. I am writing to you, to keep you updated and provide further information about the consequences of the attack we were subjected to and what our next steps are to enhance the protection of our school in the future.
Given the nature of the attack on our school and the breach of information, we have reported this to the Information
Commissioner’s Office who will advise us of the next steps in their process. The ICO is the UK’s independent body set up to uphold information rights.
Details of the breach
On Sunday 9th October 2022, our IT network detected unusual activity, in response, our IT Manager immediately disconnected the remote access and the file system from the network.
On Monday 10th October, our servers were disabled by a hacking group called ‘Vice Society’, who informed us that they had encrypted the school’s electronic files. Our IT Manager disconnected the internet so that no traffic could access the school network for three days whilst investigations were ongoing. Our external IT provider, EduTech assisted us in the investigations.
During this period of time, our IT team and EduTech recovered the school’s systems and at that point there was no indication that any data had been taken from the school’s system and that no breach had occurred.
The police were also contacted at this point to notify them of the criminal activity, no action was taken at this point as it was believed that no data had been breached.
On Monday 31st October, we received a communication from an alleged third party company stating that the school’s data had been published on the ‘dark web’. The dark web is a way for private computer networks to communicate and conduct business anonymously online without divulging identifying information, such as a user’s location.
Following further investigation, last week, the school has been in communication with the cyber police, of which investigations are ongoing. At this point the school can confirm that the following student information had been posted on 27th October:
o Full Names and Addresses
o Unique Pupil Number (UPN) o Date of birth
o Gender
o Ethnicity
o Additional SEN Information
o Multi-Agency safeguarding hub reports and police incident reports
Likely consequences of the data breach
As a school, this is deeply concerning and distressing time for us in that personal and confidential information has been breached and published in this way.
Unfortunately, it is not possible to ascertain exactly how much of the data has been copied or shared and in that respect the breach is currently uncontained.
Given the sensitivity of some of the information that has been published, I am writing to inform you and ask that you remain vigilant in the event you encounter any unusual or suspicious activity.
Measures taken or proposed to be taken by the School to address the data breach
o We are currently working with the cyber police to pursue the criminal actions that have been taken against us.
o The school has purchased and installed additional software to further protect against future incidents. We are working, as always, with our external IT experts and will
continue to review and test the integrity of our IT security systems.
o If any of the data that has been published contains security information such as
usernames/passwords we will be in touch with those parents directly.
o We have an appointed Data Protection Officer (DPO) who is actively working with the school to address the data breach. Their contact details are:
HY Education Solicitors 3 Reed House
Hunters Lane Rochdale
OL16 1YL
0161 543 8884 DPO@wearehy.com
This is a very difficult letter to write to you and I appreciate the concern you will have about the extent and implications of the data breach that I have described.
The hacking group responsible for this criminal activity on us have made similar attacks internationally with a focus on public sector organisations, specifically schools and hospitals, seemingly with the intent to cause as much disruption and distress as possible.
On behalf of the school, I sincerely apologise for the distress that this may cause and reassure you that we are doing everything that we can in taking all necessary steps to address the situation.
Should you wish to discuss this with the DPO, please contact them on 0161 543 8884 or email DPO@wearehy.com.
Yours sincerely,
Martin Henton Headteacher