NewsBite

Advertisement

Private school students’ personal data proves prime target for hackers

By Matthew Knott

Cybercriminals see private schools as increasingly attractive extortion targets, threatening to publish sensitive student and parent data unless school authorities pay a ransom, according to the nation’s top cyber spy agency.

Abigail Bradshaw, director-general of the Australian Signals Directorate, highlighted the risk to education providers when releasing the agency’s annual cyberthreat report on Tuesday.

Australian Signals Directorate boss Abigail Bradshaw said schools had become attractive targets for cybercriminals.

Australian Signals Directorate boss Abigail Bradshaw said schools had become attractive targets for cybercriminals.Credit: Alex Ellinghausen

Real estate companies and aged care facilities also make appealing targets for ransomware attacks because of the detailed customer data they hold, she said.

“It’s the same model of extortion [as private companies],” Bradshaw said.

“A school might keep, for example, sensitive records of children or other details, and then the threat will be ‘pay the ransom or the actor will publish data on the dark web’.”

Schools typically hold significant amounts of students’ personal details, including health information, psychological reports, details of disciplinary action and test results as well as parents’ payment details.

Private schools are prime hacking targets because cybercriminals may assume they have a greater capacity to pay a ransom, Bradshaw said.

A malware attack hit the Association of Independent Schools of NSW in November 2023 after an employee searched online for an Australian education sector enterprise agreement and clicked on a malicious link, according to the ASD’s cyber threat report.

The malicious actor had persistent access to the association’s network for three days, and federal police were called in to prevent a repeat of such attacks on other organisations.

Advertisement

Hackers gained access to the credit card details of about 400 parents at Mount Lilydale Mercy College, a Catholic school in Melbourne’s outer east, last year.

Loading

Hackers also released 16,000 Tasmanian education department documents on the dark web, including schoolchildren’s personal information, in 2023, while Newcastle Grammar School reported a major ransomware attack in 2021.

Air Marshal Darren Goldie, the country’s first national cybersecurity co-ordinator, said last year that schools were becoming “more prominent targets” for ransomware attacks.

“If you consider the profile of a school, they are the same exact size of a successful medium-sized business, with a couple of thousand individuals all carrying personal devices with personal information connected to a school network,” he said.

“Unfortunately, these are the targets that cybercriminals can attack easily and demand a ransom.”

Many schools were also “small enough not to have full-time cybersecurity teams and generally don’t have the resources for a 24/7 threat response partner”, he said.

Independent Schools Australia, the peak private schools body, was contacted for comment.

The ASD received 87,000 reports of cybercrime over the past financial year and responded to 121 ransomware incidents, up 3 per cent on the previous 12 months.

“Ransomware and data theft extortion impose a perverse, costly and highly disruptive threat to businesses and individuals,” Bradshaw said.

The report said that malicious cybercriminals had adjusted their ransomware tactics to include stealing sensitive data.

They then extort payments from victims in return for the recovery of the encrypted data.

The ASD strongly advises against paying ransomware demands because it encourages further attacks and does not guarantee that victims’ data will not be sold or leaked online.

Loading

The average cost of cybercrime rose to $49,600 per report, up 8 per cent on the previous year.

The federal government has introduced legislation into parliament to mandate minimum cybersecurity standards for smart devices and introduce mandatory ransomware reporting for certain businesses to report ransom payments.

Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.

Most Viewed in Politics

Loading

Original URL: https://www.theage.com.au/link/follow-20170101-p5kru1