Hackers increasingly targeting schools

Whilst the news is full of stories about hacks on large corporations or governments, hackers are increasingly targeting schools as a lucrative source of data. The rapid adoption and use of technology in schools has meant that many schools have expanded their attack surface without having the necessary cyber defences to defend it, allowing hackers the ability to exploit vulnerabilities in schools IT systems. Schools collect and store a significant amount of personal information and sensitive personal information, including student records, staff records, financial data, disciplinary action, psychological reports, and health information. The disclosure of this information on the dark web can be detrimental to parents, students, and teachers for years to come.

In the last few years Australia has seen several schools reporting cyber incidents including:

1. Newcastle Grammar School reporting a ransomware attack in 2021 which left its IT systems so badly damaged forensic investigators couldn’t establish how the attack began or where it began[1].
2. Hackers leaking data relating to Tasmanian school children on the dark web in early 2023[2]; and
3. Parents credit card details being accessed by hackers at Mount Lilydale Mercy College I in January 2023[3].

This increase in attacks targeting schools has been recognised as a wider global cyber trend. Air Marshal Darren Goldie, Australia’s National Cyber Security Co-Ordinator, speaking at an event to kick off the ACSC’s Cyber Security Awareness Month for 2023 noted that “schools are becoming more prominent targets…. We’re seeing this play out in the US where is a significant problem”[4].

Whilst it is difficult to obtain actual statistics on how many schools have been affected by cyber attacks as only a minority are reported, Emsisoft, a US cyber security firm, have found that in the United States 108 K-12 school districts were impacted by a ransomware attacks in 2023, that number had increased from 45 in 2022 and 62 in 2021. Furthermore, the United States Government Accountability Office published a report in October 2022 found that schools are reporting the loss of learning time from a cyber attack to be in the range of 3 days to 3 weeks, but that recovery time can take as long as 9 months[5].

Schools are facing a significant crisis from cyber attacks especially ransomware attacks. A cyber security incident can expose schools to several legal risks including:

1. investigating and disclosing an eligible data breach in accordance with the relevant privacy legislation such as the Privacy Act 1988 (Cth) (Privacy Act)
2. regulatory investigations as to the school’s compliance with the relevant privacy legislation which could result in the payment of penalties associated with the handling of personal information if the school is found to have not complied with the relevant privacy legislation
3. claims from third parties affected by the breach, including
   1. class actions if the school has failed to protect, or take reasonable steps to protect, personal information of current and former teachers, students, and parents
   2. breach of contractual obligations by the school;
   3. breach of a duty of care depending on the impact and scope of the cyber attack.
4. claims from the ACCC relating to the use of data by independent schools. Independent schools are engaged in a business that sells education and are therefore subject to the Australian Consumer Law.

Following on from a cyber attack, schools may also look to determine who is at fault, given the interconnectedness of IT systems and the prevalence of third party software providers as part of the school digital ecosystem the risk of third party supply chains is significant. For example the largest ransomware attack in 2023 arose from the MOVEit vulnerability where cybercriminals used a vulnerability in file transfer software to steal data.

Whilst schools are under attack, having lawyers who can assist to navigate this complex regulatory and risk landscape can be a tool in the cyber defence arsenal. FAL can assist schools with:

1. Contract Review and Negotiation: FAL has experience in reviewing, drafting and providing advice on contracts with third parties technology vendors to ensure they include adequate provisions for security measures and the allocation of risk and liability in the event of a breach..
2. Litigation and Legal Remediation: In the unfortunate event of a cybersecurity incident, FAL can provide support in navigating the legal aftermath, including in respect of claims being made against the school or else claims the school needs to make.

Regulatory Compliance: FAL can assist schools comply with the relevant laws such as the Privacy Act, the Australian Consumer Law, and the computer crime provisions of the Commonwealth Criminal Code Act 1995 (Cth), including drafting policies and procedures to support such compliance.

[1] https://www.itnews.com.au/news/newcastle-grammar-school-reveals-post-mortem-of-ransomware-infection-569610

[2] https://www.afr.com/politics/federal/hackers-leak-16-000-aussie-school-kids-info-20230407-p5cyyl

[3] https://www.theage.com.au/national/victoria/hundreds-of-parents-hit-by-credit-card-hack-at-lilydale-school-20230131-p5cgty.html

[4] https://news.nab.com.au/news/cyber-attacks-know-no-boundaries-and-the-front-line-of-defence-starts-with-us-all/

[5] United States Government Accountability Office ‘Critical Infrastructure Protection, Additional Federal Coordination is needed to enhance K-12 Cybersecurity” https://www.gao.gov/assets/gao-23-105480.pdf