Highly confidential documents from 14 schools have been leaked online by hackers, the BBC can reveal.
One of these was Pates Grammar School in Gloucestershire, which was targeted by a hacking group called the Vice Society.
Documents seen by the BBC include children’s SEN information, scans of children’s passports, salary tables and contract details stolen in 2022.
A spokesman for Pates Grammar School said it takes the security of its systems and data very seriously.
The Vice Society has been behind a high-profile spate of attacks on schools in the UK and US in recent months.
According to technology website Wired, 500 gigabytes of data were reportedly stolen from across the Los Angeles Unified School District.
The FBI in America has already issued an alert on the group’s activities.
When data is stolen, Vice Society demands money before revealing the documents if payment is not made.
The documents stolen from Pates Grammar School were extensive, with hackers stealing documents containing generic search terms.
A folder labeled ‘Passports’ contains passport scans of students and parents on school trips since 2011, another labeled ‘Contract’ contains offers of contracts to staff and instructional materials on muscle contractions.
Another folder, labeled “Confidential,” contains documents on the principal’s salary and scholarship recipients.
As well as information from Pates, the BBC found confidential documents purportedly from the following entities on the Vice Society website.
Each school on this list was asked to comment.
- Carmel College, St Helens
- Durham Johnston Comprehensive School
- Frances King School of English, London/Dublin
- Gateway College, Hamilton, Leicester
- Holy Family RC+CE College, Heywood
- Lampton School, Hounslow, London
The Lampton School issued a statement which read: “Teachers were aware of the breach but we did not notify them of the stolen data. The ICO did not direct us to notify data subjects. We’ve blocked remote access for all but a small number of employees using two-factor authentication and all of our passwords have been reset.”
- Mossbourne Federation, London
Mossbourne Federation said: “Parents, students, staff and everyone involved were notified immediately and kept up to date throughout the recovery process. We have fully recovered from the cyber attack and have returned to normal operations.”
- Pilton Community College, Barnstaple
- Samuel Ryder Academy, St Albans
- School of Oriental and African Studies, London
- St Paul’s Catholic College, Sunbury-on-Thames
- Test Valley School, Stockbridge
- The De Montfort School, Evesham
The De Montfort School declined to comment.
The School of Oriental and African Studies confirmed it was hacked in September 2022, leaking staff contracts and budget details alongside around 18,680 other files.
“We notified staff and students of the incident and while we were able to prevent the incident from escalating, it resulted in a small, limited data breach of files on internal storage.
“The individuals concerned have been contacted and we continue to offer support where needed,” a spokesman said.
Hackers leaked the information on the dark web, an area of the internet often used by criminals.
The dark web is not indexed by regular search engines and requires special browsing software to access it.
Pates’ hack is estimated to have happened on September 28, when the school emailed parents that their IT systems and phone lines were down. A few days later, the school emailed again using Gmail accounts they had created for the parents to get in touch with.
On October 7, the principal emailed again saying its systems had been “accessed by an unauthorized third party.” Classroom materials that relied on Microsoft Teams were affected, and the school said it had notified the Information Commissioners Office (ICO) and the police.
At the time, the principal wrote: “There is currently no evidence that data was stolen or made public.”
Five days later, the school emailed the parents again.
The headmaster wrote: “Unfortunately, it now appears that some of our data has been taken by the criminal organization and placed on their dark website, which is not easily accessible and only available to a limited audience with the technical knowledge and ability to access it stands specific site.
“If we learn that important data has been affected in this way, you will be informed and receive guidance and support.”
The ICO and Gloucestershire Police confirmed they are investigating the alleged breaches in 2022.
A spokesman for Pates Grammar School said: “We are currently working closely with cybersecurity specialists to conduct a thorough assessment and analysis of this data.
“We are working with highly experienced forensic investigators to secure our systems and resolve the issue.
“We have successfully restored critical systems, minimizing disruption to staff and students, and continue to keep the relevant authorities informed of any new developments.”
Follow BBC West on Facebook, Twitter and Instagram. Submit your story ideas to: bristol@bbc.co.uk
Add Comment