Hacking has made the headlines this year. After a string of high-profile cases such as TalkTalk, the telecoms group, and Ashley Madison, the online dating site, education joined the list this week when education network Jisc was hacked, leaving many institutions without an internet connection for several days.
Aside from crippled services, the worst outcome is the exposure of students’ personal data. Just how easy that can be was demonstrated last month when a cyber attack on toy manufacturers V-Tech revealed six million children’s identities.
Experts say that smaller attacks are happening more than official statistics show. Hacking is defined as “unauthorised access to a computer”. This may extend further than you expect. Under the Computer Misuse Act 1990, even a student who knowingly goes into another student’s Facebook page without their permission has “unauthorised access” and is, strictly speaking, acting illegally. These incidents are almost never reported. Where hacking is reported, it is mostly because of a personal data breach. Of the 116 data breaches in education institutions over the past year reported to the Information Commissioner’s Office (ICO), about a quarter (21) resulted from “cyber attack or IT failure”, “unauthorised access” and “data theft”. And these are probably only a fraction of incidents in schools every day.
Several other issues surround hacking in the education sector. First, school computer systems have particular vulnerabilities to “unauthorised access”, according to Action Fraud, the UK’s national internet crime reporting centre and the organisation to whom schools are supposed to report all cyber crime.
Steve Proffitt, Action Fraud’s deputy head, told Schools Week that school’s wi-fi systems and large budgets make them attractive to hackers. “Most schools have a wi-fi network. That’s very, very susceptible to cyber crime,” he says. “All your pupils are going to get access to the wi-fi, so the chances of someone having access to it outside are large. A white van could just sit outside listening in.”
Remote-dial telephone systems are also vulnerable. Action Fraud has known of schools returning from holidays to a £100,000 bill after a hacker, having cracked the password security, used its multiple lines to dial a premium rate abroad while reaping the 30p a minute charge. The school must pay the bill since the telephone company holds them responsible for failing to change their passwords often enough.
A student hacked the systems of Bay House School in Hampshire three years ago. Having cracked a staff member’s password, he tried it across other administrative systems and found it worked – making him privy to 20,000 individuals’ information, including the medical information on 7,600 pupils, according to The Guardian.
The school’s advice for staff to “avoid” repeating passwords across sites was found to have been inadequately enforced. “Schools are just not aware of all the ways they can be attacked,” Proffitt says.