, ,

Cyber Attacks on Education

, ,

Callous Cyber Criminals Attack Schools in Nottingham and Gloucestershire Lock Future Generations Out Of Education

What has happened?

Children across the country have had an incredibly tough year.  Throughout the pandemic pandemonium, they have been deprived of their basic right to access education provision due to schools, colleges, and universities closing their doors since March 2020. [1]

However, rubbing salt into the wound on 4th March 2021 [2] it was reported that 15 schools in Nottinghamshire have been “crippled” by a cyber-attack. [3]

Further on 17th March 2021, we learned that several South Gloucestershire schools had experienced an audacious ransomware attack.  Twenty-four Castle School Education Trust schools were attacked including Castle School and Marlwood School.  [4]

What does this mean?

The extent of the problem is huge.  In the counties of Gloucestershire and Nottinghamshire alone around 40 schools were unable to access their IT systems and provide vital education provision to their students due to a callous spate of targeted and untargeted cyber-attacks [5].   

The cyber-attack on Nova Education Trust schools in Nottinghamshire brutally attacked the education system and the future generations of the United Kingdom.  It meant that staff could not support the needs of homeschooled children to be provided with essential lessons as access to their school websites, email correspondence, and remote working was unavailable.  [6]

The extent of the cyber-attack in South Gloucestershire Council is only just beginning to materialise.  There was colossal damage caused to the school infrastructure system which resulted in the school internet access being closed down and the cancellation of the Year 8 parents’ evening.  Parents were encouraged to contact the school via telephone rather than via email.  [7]  The school had no alternative but to rebuild over 1,000 devices.  Many teachers were forced to commence the new school term without modern essentials such as laptops, whiteboards, and other vital equipment.  [8] 

Councillor Alison Evans, told South Gloucestershire Council of  the devastating impact, “Years of topic lessons and intervention plans have been stolen, last year’s remote learning has been lost.” As well as “Online registers, coursework and children’s reports have been inaccessible for the last month”.[9]

What does this mean for the Legal Sector?

The recent callous spate of targeted and untargeted cyber-attacks brings into sharp focus the importance of highlighting the cybersecurity risks prevalent in the education system.  [10]

The risks to cybersecurity are easy to recognise and you do not have to look very far.  Free malicious software is barely a click away, employees can easily pass data to competitors or effectively the “back door” can be left open to computer systems and the authority vulnerable to attack.  [11]

The financial implications for Local Authorities can be astronomical.  The response, IT, and technological costs following the cyber-attack on TalkTalk are estimated to have cost around £35 million.[12]  From an accountancy perspective, more investment is required urgently to prevent history from repeating itself and the devastation experienced by young people in Nottinghamshire and South Gloucestershire from continuing. 

The potential legal impact is colossal.  When sensitive data is lost, leaked, stolen, or damaged in a successful attack on a Local Authority or school it opens up the possibility of claims for damages from data subjects. [13]As well as fines of up to 10,000,000 Euros and up to 2% of the total worldwide annual turnover of the preceding financial year and rectification costs.  [14]

Local Authorities and schools are not protecting the security and privacy of the data they hold.  Local Authorities should take reasonable steps to protect themselves.  The strategy for reducing the number of these attacks needs to focus on drafting, implementing, and enforcing strong policies.  They need to seek comprehensive advice on available insurance options to cover them in the event of a breach.  If they do not enact these measures then a potential breach of GDPR may occur and it will risk another cyber-attack.  [15]

 As criminals take advantage of ever more sophisticated technologies the likelihood of many more cyber-attacks grows.  However, if advice is taken, government guidance is followed and money spent to implement measures like those above then billions of pounds of hard-earned money will be saved.  It seems likely that if Local Authorities are fined the cost will be passed on to the hard-pressed Council Taxpayer. 

Written by Adam Green

Assessing firms
#Linklaters #Clifford Chance #Slaughter&May #White & Case #Bird&Bird #RPC #McGrath Nicholl #ShooSmiths #Kennedys #Pinsent Masons #Accenture #Latham & Watkins #Goldman Sachs #JP Morgan #King Wood Malleson# @KTS_Law @StatewatchEU

References

[1] Article 2 of the First Protocol: Right to education;

[2] Bobby Hellard, ‘15 schools in Nottinghamshire crippled by cyber attack’ (IT PRO, 4 March 2021) <https://www.itpro.co.uk/security/cyber-attacks/358770/15-schools-in-nottinghamshire-crippled-by-cyber-attack> accessed 21 April 2021.

[3] ibid.

[4] Huw Mabe, ‘South Gloucestershire schools hit by ransomware attack’ (Gazette, 17 March 2021) < https://www.gazetteseries.co.uk/news/19166292.south-gloucestershire-schools-hit-ransomware-attack/> accessed 21 April 2021.

[5] Ibid.

[6] Ibid.

[7] Ibid.

[8] Adam Postans and Amanda Cameron, ‘Ransomware attack on 24 South Gloucestershire Schools’ (Gazette, 19 April 2021) <https://www.gazetteseries.co.uk/news/19242374.ransomware-attack-24-south-gloucestershire-schools/> accessed 21 April 2021.

[9] Ibid.

[10] Michael Frisby, ‘The legal consequences of a cyber-attack’ (UK Tech, 2016 and Tech City News magazine – ‘The Cybersecurity Issue’ – issue 9. <https://www.uktech.news/tech-city-voices/the-legal-consequences-of-a-cyber-attack-20160423> accessed 23 April 2021.

[11] Ibid.

[12] Tech City News magazine - “The Cybersecurity Issue” – issue 9.  https://www.uktech.news/tech-city-voices/the-legal-consequences-of-a-cyber-attack-20160423;

[13] Ibid. 

[14] Lawbite, – 21 November 2016 – ‘Cyber Attacks – The Legal Implications for businesses’, General Data Protection Regulation 2018; Data Protection Act 2018; Communications Act 2003; Privacy and Communications (EC Directive) Regulations 2003; Computer Misuse Act 1990; Official Secrets Act 1989; <https://www.lawbite.co.uk/resources/blog/cyber-attacks-the-legal-implications-for-businesses> accessed 23 April 2021.

[15] Graham Cluley, - 12 April 2021 - ‘Upstox warns of serious data breach, resets passwords’ - https://grahamcluley.com/upstox-warns-of-serious-data-breach-resets-passwords/; accessed 23 April 2021.

Graham Cluley, – 27 January 2016 – ‘Gov ‘is not taking cybercrime seriously’ - <https://www.itpro.co.uk/security/25943/gov-is-not-taking-cybercrime-seriously> IT PRO; accessed 23 April 2021.

CESG, the Information Security Arm of GCHQ – ‘Common Cyber Attacks – Reducing The Impact –– P5’ - Common_Cyber_Attacks-Reducing_The_Impact.pdf - <publishing.service.gov.uk> - accessed 23 April 2021.

Francis Maude,– March 2015 – ‘The role of Insurance in Managing and Mitigating the Risk’ – HM Government – Marsh Limited - UK_Cyber_Security_Report_Final.pdf (publishing.service.gov.uk) – accessed 23 April 2021.

Disclaimer: This article (and any information accessed through links in this article) is provided for information purposes only and does not constitute legal advice.