School cyberattacks represent some of the most significant threats to data privacy in the UK, primarily because of the sensitivity of the information that school systems hold.
While cybersecurity procedures will hopefully be followed well by most staff, the effects can be dangerous when a cyberattack exposes children, parent, or staff information.
Teachers and schools have an important duty of care for their pupils and are often privy to confidential information to allow them to protect children and provide tailored educational plans. This means that a lot of private information falls under their protection, whether this is provided by children and families, or shared with them by social services.
The risks of school cyberattacks
A 2020 government report on the cybersecurity of educational institutions reportedly found that 41% of surveyed primary schools and 76% of secondary schools had identified breaches and attacks over the course of 2019.
The cyberattacks came through several different routes, including viruses, spyware, malware, and online and email impersonations of staff/ organisations.
The most prevalent form of attack was “fraudulent emails or being directed to fraudulent websites”, a phenomenon more commonly known as phishing. While the study only covered a small number of schools, these examples sum up the kinds of cybersecurity breaches that can threaten educational establishments.
Cases of cyberattacks at schools
A recent cyberattack at a secondary school in Sandwich forced school management to warn parents of the potential risks of identity theft.
Several of the school’s servers were subjected to a ransomware attack, in which personal details including names, addresses, dates of birth, and phone numbers were exposed. Fortunately, no immediate financial risk was involved, as parents’ bank account details were stored on a separate system. In this case, firewalls and antivirus protection appear to have been no hindrance to the cybercriminal(s).
It also appears that the coronavirus pandemic has had an impact on cybersecurity in schools. With the majority of pupils learning remotely via their own devices, or ones provided by their schools, more education is being conducted over the internet which means that there can be more points of entry for cyberattacks. The National Cyber Security Centre confirmed that attacks were becoming more frequent in September, noting an increase in targeted ransomware attacks affecting the education sector.
Data protection violations and compensation claims
With school cyberattacks on the rise, it is more important than ever that schools are upholding their own data protection responsibilities to tackle external threats.
Schools must ensure there are no vulnerabilities, whether these are in weak software or hardware, or in the practices of staff. Failing to do so could mean that they are liable for damage arising from cyberattacks where they are in breach of the GDPR.
If you believe that a school or staff member is accountable for a cyberattack or data breach, you may be able to claim compensation. The GDPR is there to make sure organisations and individuals are held accountable for failing to protect data, and the Data Leak Lawyers are here to guide and advise clients on their potential claims.