A Melbourne Catholic college has warned parents to keep their children off the dark web after students unearthed and circulated screenshots of private information stolen by hackers from the school.

Loyola College, in Watsonia in the city’s north-east, was hacked last month by an foreign cyber-crime group, which said it had stolen sensitive information about staff and students, including identity documents, tax and financial records, and court orders.

Now the school says students have found some of the stolen material posted on the dark web by the criminal group, Interlock, and have been sharing it with each other.

It is unclear whether the material being circulated related to students or staff.

Principal Alison Leutchford said in a letter to parents on August 30 that private student data, including medical and financial information, had been stolen and may have been published online.

The school hired cybersecurity experts to investigate the extent of the personal information accessed, put extra safeguards in place and reset all staff, parent and student passwords.

But soon after the leak, students began searching the dark web – an unregulated part of the internet accessible only with specialist search software where criminality is rife – to access the stolen data.

“We are aware that some students have attempted to search for, and access, information on the dark web related to the breach. Screenshots of this information have been circulated between students,” Leutchford wrote to parents earlier this month.

“While we understand that young people are curious about what has happened, we ask that you speak with your children immediately to discourage any further activity of this type.”

Leutchford said it complicated their investigation but could also carry “serious legal consequences if certain information was downloaded, shared or reposted”.

“Exploring the dark web and accessing this material on personal devices may expose families to unnecessary and very serious risks,” she said.

A parent at the school, who asked not to be identified, said families’ anxiety about the hack went far beyond compromised passports or bank account details.

“Parents can handle bank accounts, but your kids’ private information, once that’s out, you can’t undo that,” she said.

The principal said it was likely the students accessed the dark web outside school using laptops, computers or mobile phones at home, and warned parents about the importance of digital responsibility.

Interlock listed the school as one of its victims on a leak site, saying Loyola was “very poorly protected in our reality and therefore data was compromised”.

“The full history and database of all students and all their private information were freely available! Also, a large number of financial, legal and other documents!”

Interlock claims it has hacked 67 victims across the world, 14 of which were educational institutions. Loyola College was the first Australian school targeted by the group, but Interlock has been linked to other cyber-security breaches in Australia.

According to cyberdaily.au, Interlock published several sample documents from Loyola, including passports of current and past employees, detailed financial records, tax details and court orders.

Interlock has been targeting groups in North America and Europe since September 2024 and is described by the FBI as opportunistic and financially motivated.

The group has used a “double extortion model” by which vital data is stolen through encryption and subject to ransom demands. But it is unclear if the hackers have tried to extort Loyola in this way.

Cyber safety expert Susan McLean said schools were notorious for having “really slack and easily hackable systems”.

“It needs to be a wake-up call for all schools to look and improve their systems,” she said.

McLean said there were two parts to the hacking; the monetary element of banking details or enough personal information for identity theft, and the other was simply being a pest and proving they could do it.

Parents can change their credit card numbers if bank details are hacked, “but if your personal information is out there – that’s not good in any shape or form”.

“It will lead to bullying and harassment,” she said.

“The question for the school is, ‘what are you doing to discipline the kids who do this? Do you have school rules around this? If you don’t, you need to’.”

She said children can easily access the dark web, and she knew children did so because she fields questions about whether their dark web activity was traceable.

Last year, there were 1446 students enrolled at Loyola, which employed 131 teaching staff and 79 non-teaching staff.

A Melbourne Archdiocese Catholic Schools spokesperson, speaking on the college’s behalf, said the relevant government authorities, including Victoria Police, had been notified of the hack.

“Our external forensic digital experts are still working to understand the full nature of information that has been accessed. Investigations of this kind do, unfortunately, take time,” she said.

“As this ongoing investigation reveals further details, we are calling impacted individuals or, where appropriate advising them in writing.”

The spokesperson said that extra online security was now in place at Loyola and other Catholic schools around Melbourne and that students, staff and parents at the college were receiving support and advice.

The federal government’s Australian Cyber Security Centre would not comment on the incident.

The Loyola incident follows a cyberattack at top boys’ school Scotch College in early August. Principal Dr Scott Marsh said an investigation found only a limited amount of information had been accessed by a third party.

In an email to parents, seen by The Age, Marsh said the school had taken a cautious approach and reviewed files identified as likely to be at risk. He said the school would contact those people whose information it thought might have been accessed.

To report cybercrime and cyber security incidents, visit www.cyber.gov.au/report, or call Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.