When hackers attacked UK nurseries last month and published children’s data online, they were accused of hitting a new low.
But the broader education sector is well used to being a target.
According to a UK government survey, educational institutions are more likely to face a cyber-attack or security breach than private businesses.
Six out of 10 secondary schools have suffered an attack or breach over the past 12 months, rising to eight out of 10 for further education colleges and nine out of 10 for higher education institutions. By comparison, four out of 10 businesses have faced a breach or attack – roughly the same proportion as primary schools.
Toby Lewis, the global head of threat analysis at the cybersecurity firm Darktrace, says the UK education sector is not necessarily being targeted deliberately. “They are just getting caught up in the dragnet of cybercrime attacks that are out there,” he says, adding that there is an “element of randomness and opportunism” in the targeting of cybercrime victims.
The BBC reported last week that Kido, the nursery business targeted by a hacking group calling itself Radiant, was targeted after an “initial access broker” sold access to Kido’s systems to Radiant, a common scenario in cybercrime circles.
The government data, from its annual cyber security breaches survey, is based on a survey of nearly 300 secondary and primary schools in the UK as well as more than 30 higher education institutions, including universities. It defines a cyber-attack as an “attempt” to breach a target’s IT systems, which includes sending “phishing” emails that attempt to trick the recipient into handing over sensitive information such as a password.
A phishing email was the most common form of attack for universities and schools.
Ransomware attacks have become a well-known form of cybercrime in the UK. Attackers typically encrypt a target’s IT systems and steal data – then demand a payment in bitcoin for decrypting the systems and destroying or returning the data.
West Lothian council’s education network was hit by a ransomware attack this year that resulted in data being taken from some schools, while universities hit by cyber attacks in recent years include Newcastle University, the University of Manchester and the University of Wolverhampton.
Lewis adds that state schools might be more vulnerable to attacks because of pressure on funding and a lack of specialist expertise, while universities are vulnerable because they have thousands of young students who might not be cyber security-literate, as well as having computer networks that are designed to foster academic cooperation.
Universities appear to be popular targets. Further and higher education institutions are affected most regularly, with three out of 10 reporting a breach or attack on a weekly basis, according to the government. Despite of, or perhaps because of, the number of attacks the education sector is more aware of government initiatives on preventing cybercrime than businesses and charities.
Pepe Di’lasio, the general secretary of the UK association of school and college leaders, said ransomware attacks were a “major risk” to the sector and a “great deal of work” was going on to protect systems and data.
James Bowen, assistant general secretary at the national association of head teachers, said additional government funding to help school leaders spot and respond to cyber threats would “certainly be welcome”.
The Department for Education said its support for schools included a dedicated team for responding to cyber incidents and working closely with the UK’s National Cyber Security Centre to offer free training for school staff. “We take the cybersecurity of our schools seriously, understanding the significant disruption attacks can cause, and there is a range of support on offer for schools,” said its spokesperson.
Kido’s hackers have deleted the data they took from the company, including profiles of children, following a backlash against the hack.
Government data, however, shows that the wider education sector remains a target. Ministers are preparing to ban schools, the NHS and local councils from making ransomware payments under government proposals to tackle hackers, which might help dissuade assailants. In the meantime, the attacks continue.
