The New Zealand Herald has reported that six schools were targeted with "dozens of attacks" aimed at taking down their websites in the first week of this term. The "distributed denial of service" (DDoS) attacks involve multiple computers bombarding a school's internet connection with massive amounts of unwanted traffic. This aligns with data from the Office of the Australian Information Commissioner (OAIC) showing an overall increase in data breaches across all sectors in Australia with 57 per cent of those data breaches attributed to malicious or criminal attacks, of which DDos attacks are one form.
Cyber Attacks in Schools in New Zealand
Network for Learning, a New Zealand company that provides internet services to 98 per cent of New Zealand schools, is reported in the article to have said that six schools were targeted with multiple attacks aimed at taking down their websites in the first week of this term through an increase in traffic to their website. The article goes on to say that the "chief product officer Gavin Costello said that all six schools targeted so far this term were intermediate or secondary schools, suggesting that the attacks may have come from disgruntled students."
An NTT Security report has said that attacks against the education sector jumped from 9 per cent to 18 per cent of all attacks in 2017 internationally, while attacks against the finance sector have dropped from 46 per cent to 26 per cent.
Network for Learning has said, "there's not much a school can do to prevent a DDoS attack. If it is student-led, however, then there may be ways to reveal the likely instigator by observing student behaviour." Other suggestions offered for schools include reviewing staff and student laptops connecting to school networks without adequate security, as many staff and students using Bring Your Own Devices (BYOD) may not be aware whether or not the device they are using is infected with malware.
OAIC Report - Malicious Cyber Attacks in Australian Schools
The New Zealand situation does not seem to be too dissimilar to the Australian schools context, with the OAIC's Third Quarter Notifiable Data Breach Report (OAIC Report) showing an increase in data breaches overall with 57 per cent attributed to malicious or criminal attacks, similar to the ones described in New Zealand. A recent Verisign report has also shown that there has been an increase between 2017 and 2018 of 111 per cent in the average of attack peak sizes for DDos attacks (a type of malicious or criminal attack). The Verisign report also showed that 62 per cent of those who experienced a DDoS attack in Q2 2018, were targeted multiple times.
This shows that, despite non-government schools only being the fourth most targeted sector, according to the OAIC Report, malicious or criminal cyber attacks should be a current concern for all schools, and practices and procedures should be in place for notifying the OAIC of any notifiable data breaches (NDB), if they occur, due to cyber attacks.
Reminder for Schools About Notifiable Data Breaches
As a reminder for schools, a data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches are not limited to hacking or cyber attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person.
As stated in previous School Governance articles, the NDB Scheme is designed to prevent schools from concealing data breaches if the breach is considered to result in serious harm to the affected person(s) (i.e. eligible data breaches). However, it is important to note that not all eligible data breaches come under the NDB Scheme. The OAIC does not require notification of the following eligible data breaches:
- if remedial action is taken to contain a suspected data breach and thereby prevents the likely risk of serious harm occurring, and the action is successful
- if the data breach cannot be successfully remedied but it is believed that no serious harm could result.
Further, if there is uncertainty in relation to whether the data breach has been successfully remedied or whether serious harm will result, but it is reasonable to suspect that it might be remedied/serious harm will not result, there is 30 days to determine this before a report is required.
For more information on NDBs and how to deal with them, please see here.
Importance of Privacy Risk Management in Protecting Against Cyber Attacks in Schools
OAIC Commissioner Angelene Falk said training staff on how to identify and prevent privacy risks needs to be part of business as usual. “Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them...Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day."
Privacy risk management must be a part of the school culture and all staff should be aware of the risks associated with data breaches or malicious cyber attacks occurring at the school. Schools can think of privacy risk management as a four step process:
- embedding a culture of privacy that enables compliance
- establishing a robust and effective privacy process
- evaluating a school’s privacy processes to ensure continued effectiveness
- enhancing a school’s responses to privacy issues.
By training staff, and implementing privacy risk management by design, schools will be responding to the major hazards identified in the OAIC Report and will promote the security of personal information of students and staff members.