The term ‘identity data’ refers to digital information that can be linked back to you as a person.
It’s your name, your date of birth, your physical address and your email address. It’s your passwords, your online search history and online shopping behaviour, the posts and community groups you ‘like’ on Facebook, the locations of places where you take photos that you later post on Instagram. It’s… well, it’s your entire digital life.
As David Eedle, Co-Founder and CEO of EdSmart, explains, “There is a phenomenal amount of data generated every moment, and the vast majority of that data has a connection back to an individual person. That is identity data.”
While the examples cited above relate to how we live our lives in our own time, schools also collect a large amount of identity data.
“Schools maintain records and information about staff, about students, about former students and parents,” continues David. “Sometimes, that data is minimal – a first name, a last name and email address. Other times, particularly for students, it’s incredibly detailed and it can include information that’s classed as sensitive – medical, pastoral care, mental health and so on. Obviously, that information is intensely private to that individual, and it has to be maintained and guarded and protected to the best possible degree.”
Because of the highly sensitive nature of the identity data schools collect, they have a major obligation to secure that information.
“We’re talking about real people and real lives, and the potential for harm to people, so this stuff has a real-world consequence if you get it wrong,” says David. Protecting, managing, maintaining and securing identity data, he argues, needs to be the highest priority inside a school within the technology they use.
Schools and ransomware
The education sector is experiencing a huge spike in cyberattacks in the form of ransomware attacks.
Data collected in July 2021 by Check Point Research (CPR) recorded 3,900 documented attacks impacting schools, universities and research centres each week. Overall, attacks rose 17 percent over the first half of 2021, as cyber criminals looked to capitalise on the short notice shifts back to remote learning.
“You could argue that the single most valuable asset that a school, or indeed any organisation, has is the data about their people,” David remarks. “And education has turned out to be a particular target because it’s seen as a soft target — many schools aren’t prepared for defending themselves against cyberattacks.”
Yonatan Zuriel, a Cyber Threat Intelligence at CTRL Group, adds, “Personal Identifiable Information (PII) is a highly sought-after commodity. Threat actors are willing to pay a lot of money for it, and there are specific marketplaces for it all over the Dark Web. Cybercriminals can ask to steal data from specific victims or purchase stolen information out of the available offerings, acquired via data breaches from around the world.”
In 2020, Newcastle Grammar found itself the victim of one of the most devastating ransomware attacks Australia has seen, as hackers encrypted the school’s core IT network accessing identity data, student exam results, emails and a range of other services vital to the running of the school. Hackers demanded around $1 million dollars in cryptocurrency* from the school to restore their systems and return their identity data.
As explained by the Newcastle Grammar’s Principal, Erica Thomas, the attack was so bad and damaged the system so badly that cybercrime forensic experts and the school’s IT team were unable to determine how it was initiated.
In August 2021, six Isle of Wight schools in the UK were hit in a cyberattack that encrypted valuable identity data and other information, and prevented staff from accessing their IT systems.
While there are numerous examples of hackers targeting schools and universities, they are not alone – attacks have also been made on technology partners to the education sector i.e. EdTech providers. In January 2022, a third-party software company that specialises in website design, hosting and content management for schools, Finalsite, was the victim of a ransomware attack. Details released by Finalsite said that 5,000 of its 8,000 global customers had been affected by the incident.
Ransomware has become one of the biggest cybersecurity problems in schools globally. And it’s not just K-12 schools that are feeling the heat; tertiary and higher education institutions are being targeted too.
“These attacks are agnostic,” David Eedle admits. “It doesn’t matter whether you’re a private school, a Catholic school or a government school. It doesn’t matter whether you’re in England or Wales or Scotland or Australia or the US. It doesn’t matter where you are because hackers are global. They simply go after whatever they target. And it’s clear that hackers have decided the education sector is a soft target.”
Yonatan from CTRL Group agrees: “The education sector is amongst the top targeted sectors, and the COVID-19 pandemic encouraged more threat actors to have their sights on it. Australian Cyber Security Centre (ACSC) reports from the 2020-21 financial year show that 6.2% of all monitored incidents were against education institutions – roughly one cyber-attack every two hours.”
Schools combatting ransomware
While, realistically, there is no computer system that can’t be hacked if enough resources and brainpower are put into it, the good news for principals and school IT managers is there are some easy steps to take that make it more difficult for cybercriminals to access valuable identity data. Specifically, David says schools should ensure their software is up to date with the latest security patches, and that staff are regularly trained to recognise scam or ‘phishing’ emails.
He also believes it can’t be understated the importance for schools partnering with third-party software providers to start a conversation with these providers to find out how they’re protecting identity data within these third party networks.
“EdSmart carries cyber insurance against data breach and its consequences. Because the cost of that insurance went up, our insurance company gave us a kind-of ‘internal analysis’ of the insurance market for cyber. It turns out that there has been a phenomenal increase in the number of claims over, say, the last two years for ransomware attacks.”
“I remain amazed at the lack of questioning of us and our product about our cyber security from prospective customers. That is, I don’t think our customers – or prospective customers – ask us enough questions about the way we protect their data,” says David.
“The protection of identity data needs to be a partnership between a school and the vendor,” he concludes. “There needs to be an open conversation between the two parties about how the information is being protected. How are we managing it? How are we controlling it? What measures do you take? And so on.”
Identity data is a precious commodity. The incidence of cyber-crime in the form of ransomware attacks on the education sector has seen a sharp increase due to many institutions failing to have the right levels of security in place and a lack of awareness from staff, students and parents.
Schools need to prioritise the security of identity data to protect sensitive, and valuable information of a vulnerable cohort (i.e. children), and to minimise the often catastrophic disruptions that a ransomware attack can have on the day-to-day functioning of a school.
But protecting your school’s data identity data can be prioritised quickly and efficiently by making sure your software security is up to date, using two-factor authentication whenever possible, and that your staff receive regular education on how to identify ransomware before it enters the school’s IT system.
Most importantly, though, schools must know and understand the processes their third-party software platforms – those outside their ‘inner sanctum’ – have in place to secure the identity data they collect.
*Ultimately, the school decided not to pay the ransom.
Read the next article in our Identity Data series, Managing your school’s identity data better.