Schools hit by cyber attack and documents leaked

Highly confidential documents from 14 schools have been leaked online by hackers, the BBC can reveal.

One of those was Pates Grammar School in Gloucestershire, targeted by a hacking group called Vice Society.

The documents, seen by the BBC, include children’s SEN information, child passport scans, staff pay scales and contract details, stolen in 2022.

A spokesperson for Pates Grammar School said it took the security of its systems and data extremely seriously.

The Vice Society has been behind a high-profile string of attacks on schools across the UK and the USA in recent months.

It allegedly stole 500 gigabytes of data from the entire Los Angeles Unified School District, according to technology website Wired.

The FBI in America has already released an alert on the group’s activities.

When data is stolen, Vice Society makes demands for money before leaking the documents if payment is not made.

The documents stolen from Pates Grammar School were comprehensive, with hackers taking documents using generic search terms.

One folder marked “passports” contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked “contract” contains contractual offers made to staff alongside teaching documents on muscle contractions.

Another folder marked “confidential” contains documents on the headmaster’s pay, and student bursary fund recipients.

Alongside information from Pates, the BBC found confidential documents purporting to be from the following establishments on Vice Society’s website.

Every school on this list has been contacted for comment.

Lampton School issued a statement that read: “Teachers were aware of the breach but we did not inform them of the data that was stolen. The ICO did not tell us to notify the data subjects. We blocked remote access to all but a small number of staff with two-factor authentication, and all our passwords have been reset.”

Mossbourne Federation said: “Parents, pupils, staff and all concerned were immediately notified and kept up-to-date during the recovery process. We have fully recovered from the cyber-attack and have returned to normal operations.”

The De Montfort School declined to comment.

The School of Oriental and African Studies confirmed it was hacked in September 2022, with staff contracts and budget details leaked among some 18,680 other files.

“We notified staff and students of the incident, and while we were able to prevent the incident escalating, it resulted in a small, limited data breach of files on internal storage.

“The individuals affected have been contacted, and we are continuing to offer support as required,” a spokesperson said.

Hackers leaked the information on the dark web, a section of the internet often used by criminals.

The dark web is not indexed on regular search engines, and requires specialist browsing software to access it.

The hack at Pates is estimated to have taken place on 28 September, when the school emailed parents to say its IT systems and phone lines were down. A few days later the school emailed again with Gmail accounts it had created for parents to contact.

On 7 October, the headteacher emailed again to say its systems were “accessed by an unauthorised third party.” Teaching materials, which relied on Microsoft Teams, were affected, and the school said it had notified the Information Commissioners Office (ICO) and police.

At that time, the headmaster wrote: “There is currently no evidence that data has been stolen or published.”

Five days later, the school emailed parents again.

The headmaster wrote: “Regrettably, it now appears that some of our data was taken by the criminal organisation and placed on its dark web site, which is not easily accessible and only available to a limited audience with the technical knowledge and ability to access this specific site.

“If we learn that any significant data has been affected in this way, you will be informed and provided with guidance and assistance.”

The ICO and Gloucestershire Police confirmed they were investigating the alleged breaches in 2022.

A spokesperson for Pates Grammar School said: “We are currently working closely with cyber-security specialists to conduct a thorough assessment and analysis of this data.

“We are working with highly experienced forensic investigators to secure our systems and resolve the issue.

“We have successfully restored key systems, minimised the disruption to staff and students, and continue to keep the relevant authorities informed of any new developments.”

Follow BBC West on Facebook, Twitter and Instagram. Send your story ideas to: bristol@bbc.co.uk