4 min read

Responding to Ransomware: Education Sector Focus

Read more

By DAC Beachcroft

|

Published 27 May 2021

Overview

On 23 March 2021, the National Cybersecurity Centre released an alert noting “an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities”. This followed an update earlier in the week from the FBI regarding a specific ransomware group’s efforts to target both UK and US educational establishments. A week later, a multi-academy trust which runs 48 schools was hit.\n 

On 23 March 2021, the National Cybersecurity Centre released an alert noting “an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities”. This followed an update earlier in the week from the FBI regarding a specific ransomware group’s efforts to target both UK and US educational establishments. A week later, a multi-academy trust which runs 48 schools was hit.

For Universities, the stakes can be even higher where research is held on legacy networks and vast databases of student data are held inclusive of identification documents and financial information. Extend this to the alumni database and there is a real treasure trove available for a cyber-criminal. For schools, there is also the sensitivity of student data to consider.

Over the past 18 months, our role in ransomware response has evolved somewhat. Historically, the forensic investigators would take the lead looking at system restoration with substantial legal support coming when the data could not be recovered (an “availability breach”). However, the rise of data exfiltration as a form of secondary extortion has seen that role change.

Data exfiltration is generally the unauthorised removal of data from a victim’s network by a threat actor. Once this data is removed, threat actors will use the data to leverage payment of a ransom where a victim may have been able to recover their systems from backup. Should a victim not pay, there is a risk that reams of data will be published on the threat actor’s shaming or doxing site on the dark web or other platform.

Those establishments who have fared well in these testing circumstances are those who have robust data breach plans in place. We work with a number of clients to stress test those plans and to think further than just a policy document. Organisations need to consider the practicalities of co-ordinating the response internally, assembling IT, DPO, Executives, legal and others into one (virtual room). Especially, given the platform that would ordinarily be used for meetings may be shut down.

Due to the nature of the data exfiltrated, we have to work with the victim to assess a possible “confidentiality breach” which will generally include a full review of the data published and an assessment against the relevant criteria under the UK-GDPR. This requires substantial legal input for a victim to prepare them to notify those data subjects impacted who may be staff, students, alumni or wider members of the community. This is at the same time as dealing with the build-up to key events in the school calendar and complex arrangements given the COVID testing requirements in place.

An establishment also needs to deal with the costs of responding to such an incident. A saving grace for many has been the existence of cyber insurance to support the costs of dealing with the incident in addition to support for wider losses for costs incurred by the establishment. The rise in these detailed data review exercises makes it all the more necessary to consider higher policy limits or risking the insurance being blown out of the water during the breach response process.

We have seen the nuances of data subject communications to staff members, former staff members, successful applicants, unsuccessful applicants, students and parents. All of whom have different interests and allegiances to the establishments. PR plans have to be addressed in greater detail with these stakeholders, considering face to face staff room discussions rather than an email notification in an environment where news travels very quickly, for example.

All of this is considered with potential claims arising from impacted data subjects. We are aware that claimant law firms are actively recruiting potential clients for a number of educational breaches. The ease by which these firms can recruit through social media platforms (often within a matter of minutes) has also exacerbated the amount of claims we have seen.

Whilst those claims are typically brought for relatively small amounts (up to £3,000), disposing of them can be time consuming and expensive when the claimant’s costs and ATE insurance premiums are factored in.

It cannot be denied that responding to a ransomware attack is a stressful and trying experience. We have been on many calls with fatigued clients working a full time job and finding themselves acting as a full time crisis responder. More recent developments pose an even newer threat. The prolific ransomware group, DarkSide has be reported to be using triple extortion tactics to illicit further payments, having contacted patients at a clinic hit by the variant, requesting payment to stop the releasing private therapy files. It may be that we see this move to schools, where parents are contacted by threat actors to either force payment by the main victim or to seek further payment not to release their son or daughter’s sensitive information.