Schools hit by cyber attack and documents leaked

Getty Images Person typing on a laptopGetty Images
Following a hack, Vice Society makes demands for money to prevent it leaking documents on the dark web

Highly confidential documents from 14 schools have been leaked online by hackers, the BBC can reveal.

One of those was Pates Grammar School in Gloucestershire, targeted by a hacking group called Vice Society.

The documents, seen by the BBC, include children's SEN information, child passport scans, staff pay scales and contract details, taken in 2021 & 2022.

A spokesperson for Pates Grammar School said it took the security of its systems and data extremely seriously.

The Vice Society has been behind a high-profile string of attacks on schools across the UK and the USA in recent months.

It allegedly stole 500 gigabytes of data from the entire Los Angeles Unified School District, according to technology website Wired.

The FBI in America has already released an alert on the group's activities.

When data is stolen, Vice Society makes demands for money before leaking the documents if payment is not made.

Vice Society Vice Society websiteVice Society
The Vice Society's website contained thousands of documents hacked from schools

The documents stolen from Pates Grammar School were comprehensive, with hackers taking documents using generic search terms.

One folder marked "passports" contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked "contract" contains contractual offers made to staff alongside teaching documents on muscle contractions.

Another folder marked "confidential" contains documents on the headmaster's pay, and student bursary fund recipients.

Alongside information from Pates, the BBC found confidential documents purporting to be from the following establishments on Vice Society's website.

Every school on this list has been contacted for comment.

  • Carmel College, St Helens
  • Durham Johnston Comprehensive School (hacked in 2021, documents posted online in January 2022)
  • Frances King School of English, London/Dublin

Frances King said it hadn't notified parents and pupils, but the hack didn't affect teaching and it was reported to their IT company.

  • Gateway College, Hamilton, Leicester
  • Holy Family RC + CE College, Heywood
  • Lampton School, Hounslow, London

Lampton School issued a statement that read: "Teachers were aware of the breach but we did not inform them of the data that was stolen. The ICO did not tell us to notify the data subjects. We blocked remote access to all but a small number of staff with two-factor authentication, and all our passwords have been reset."

  • Mossbourne Federation, London

Mossbourne Federation said: "Parents, pupils, staff and all concerned were immediately notified and kept up-to-date during the recovery process. We have fully recovered from the cyber-attack and have returned to normal operations."

  • Pilton Community College, Barnstaple
  • Samuel Ryder Academy, St Albans
  • School of Oriental and African Studies, London
  • St Paul's Catholic College, Sunbury-on-Thames
  • Test Valley School, Stockbridge
  • The De Montfort School, Evesham

The De Montfort School declined to comment.

The School of Oriental and African Studies confirmed it was hacked in September 2022, with staff contracts and budget details leaked among some 18,680 other files.

"We notified staff and students of the incident, and while we were able to prevent the incident escalating, it resulted in a small, limited data breach of files on internal storage.

"The individuals affected have been contacted, and we are continuing to offer support as required," a spokesperson said.

Hackers leaked the information on the dark web, a section of the internet often used by criminals.

The dark web is not indexed on regular search engines, and requires specialist browsing software to access it.

Presentational grey line
Pates Grammar School
Pates Grammar School was one of those hacked by Vice Society

Pates' hacking timeline

The hack at Pates is estimated to have taken place on 28 September, when the school emailed parents to say its IT systems and phone lines were down. A few days later the school emailed again with Gmail accounts it had created for parents to contact.

On 7 October, the headteacher emailed again to say its systems were "accessed by an unauthorised third party." Teaching materials, which relied on Microsoft Teams, were affected, and the school said it had notified the Information Commissioners Office (ICO) and police.

At that time, the headmaster wrote: "There is currently no evidence that data has been stolen or published."

Five days later, the school emailed parents again.

The headmaster wrote: "Regrettably, it now appears that some of our data was taken by the criminal organisation and placed on its dark web site, which is not easily accessible and only available to a limited audience with the technical knowledge and ability to access this specific site.

"If we learn that any significant data has been affected in this way, you will be informed and provided with guidance and assistance."

Presentational grey line

The ICO and Gloucestershire Police confirmed they were investigating the alleged breaches in 2022.

A spokesperson for Pates Grammar School said: "We are currently working closely with cyber-security specialists to conduct a thorough assessment and analysis of this data.

"We are working with highly experienced forensic investigators to secure our systems and resolve the issue.

"We have successfully restored key systems, minimised the disruption to staff and students, and continue to keep the relevant authorities informed of any new developments."

Ross Brewer, chief revenue officer of cyber-security risk management company SimSpace, said: 'We see the education and healthcare sectors being heavily targeted due to their primary focus being on education and care, not cybersecurity.

"They are typically under resourced in the IT function and are easy prey for the hackers that have no heart and are purely motivated by greed.

"The personal information that can be obtained is highly valuable or in some cases embarrassing. Organisations need to train their teams in the safe cyber range environment, so they know what to look for, how to identify gaps in their protection, and how to continually improve their digital hygiene."

Presentational grey line

Follow BBC West on Facebook, Twitter and Instagram. Send your story ideas to: [email protected]