Students and teachers at English high school impacted by ransomware attack

Another English school was listed on a ransomware group’s extortion website on Monday evening, with the criminals threatening to publish stolen data unless Tanbridge House School in West Sussex paid an unstated fee.

The headteacher at the secondary school, which has around 1,200 students aged between 11 and 16 enrolled, previously told parents there was no evidence the criminals had stolen sensitive information.

On March 10, staff and students at the school were the latest in the United Kingdom to be locked out of their computers in a ransomware attack.

The Ransom House criminal group has now claimed on their extortion site to be behind the attack, stating: “We were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company.”

Headteacher Mark Sheridan had sent a letter to parents the week before last warning the school had suffered a cyberattack which had “a big impact on the normal running of the school,” as reported by local newspaper Sussex World.

Sheridan’s letter said the school brought in an external IT security team who “told us that while the hackers managed to gain access and lock us out of all of our systems, no evidence has been found of any breach of data or compromise of sensitive information.”

As part of the extortion listing, the ransomware group included what it described as an “evidence pack” showing it had compromised personally identifying information regarding staff and students.

The school did not respond to The Record’s request for comment last week and did not immediately respond to a follow-up request on Tuesday following the listing.

In his letter to parents, Sheridan added that the incident had been reported to the Information Commissioner’s Office, the U.K.’s data protection regulator.

What is the Department for Education doing?

In recent weeks multiple schools in Britain have been impacted by ransomware attacks conducted by different criminal groups, including Wymondham College, the largest state boarding school in the country.

Back in February, the Vice Society group published data from Guildford County School that appeared to include safeguarding reports — the sensitive internal documents teachers write to record information about at-risk students.

Asked about the number of attacks impacting schools, a spokesperson for the Department for Education told The Record the department monitors cybersecurity incidents closely and that there is no evidence to suggest attacks are on the rise.

“Cyber-attacks on schools undermine the hard work of school leaders and are completely unacceptable,” the spokesperson added.

They said the department provides a risk protection arrangement to more than 9,500 schools throughout England. The program includes cover for cyber incidents as well as access to a 24/7 incident response service.

The spokesperson said: “There is a range of guidance and support available to schools to help them to prevent and manage cyber security incidents. If a school or trust is concerned that they might have been a victim of an attack, then they should contact the Department.”

One executive at a school that was impacted by a ransomware attack, who asked to speak on background, told The Record that they had no issues with the support the Department for Education provided to them.

Britain’s lead authority on cybersecurity, the National Cyber Security Centre (NCSC), first issued an alert to schools about ransomware attacks in September 2020, warning of “an increased number of ransomware attacks affecting education establishments in the U.K., including schools, colleges, and universities.”

The alert page states that it has been updated several times since then due to further ransomware attacks.

The NCSC continued to reference an increase in attacks as recently as last month when it published a survey finding that “despite an increase in the number of ransomware attacks” schools were becoming “better prepared” to deal with these incidents.

This preparation includes protecting IT networks but also focusing on a quick recovery from the incident itself.

The cybercrime group known as Vice Society has been behind a spate of ransomware attacks targeting educational establishments in Britain and around the world. The criminals extort their victims by stealing sensitive data and threatening to release it unless a ransom is paid.

Last year the Hive ransomware group demanded £500,000 (about $608,000) from two schools in England following an attack. In January, law enforcement agencies in the United States and Germany announced they had “hacked the hackers” and taken down the infrastructure used by the Hive gang.

Back in February the BBC reported that highly confidential data stolen from 14 schools in the U.K. had recently been published by the group. In several situations the schools did not inform students and staff that their data had been published on the leak site.

Ransomware attacks have also been a widespread problem for U.S. educational institutions, including recent incidents in the Los Angeles Unified School District and systems in Iowa and Massachusetts.

The scale of the threat posed by the financially motivated criminal hackers has caused significant concern for British officials, with a joint committee of lawmakers currently holding an inquiry into whether the U.K.’s national security strategy is effectively addressing the threats posed by ransomware.

As The Record reported last November, ransomware incidents in Britain were becoming so disruptive that the majority of the government’s “Cobra” crisis management meetings at the time were convened in response to them rather than other emergencies.