Schools data hack exposes students for years to come, experts warn

The unprecedented cyberattack exposing thousands of Victorian students’ data could have long-lasting implications, cybersecurity experts have warned.

University of Canberra adjunct professor Samuel Spencer said the sensitive information, which the Department of Education revealed on Wednesday had been stolen from a departmental network, would likely remain for sale on the dark web for years to come.

“Unlike a stolen car that can only be sold once, this data can be sold again and again and again re-victimising those impacted,” Spencer said.

All state schools have been affected by the breach, with more than a million past and current state school students potentially exposed.

The department temporarily disabled its systems and reset student passwords, locking secondary students out of their accounts a fortnight before school resumes.

“This data might may not have value now,” Spencer said, “but as students enter the workforce, it may be valuable if someone’s security question is, ‘what school did you go to?’ So the risk isn’t just the impact on people today, it could be five years down the track.”

Melbourne University computer security expert Dr Shaanan Cohney agreed the data risked being used as a negotiating tool to access further information in the future.

“Even if the hackers were kicked out, they now know more about their targets,” he said.

“It means that they can leverage information to make them [the hackers] seem trustworthy down the track and potentially gain access to other schools and partners.”

Swinburne University cybersecurity expert Professor Yang Xiang said the breach was unusually large given the number of people affected.

“Behind the students are hundreds of thousands of families, and the hackers can link information details and further exploit other information sources,” he said.

“This might bring a significant impact to the whole education sector, so I think this is quite a serious incident.”

Xiang agreed hackers were likely to keep the information for future use, especially if they were organised criminals.

The department confirmed on Wednesday that the unprecedented incursion by an external third-party occurred, but did not say when the attack took place.

The names, year levels, school names and school-issued email addresses of primary and secondary state school students were accessed. Personal data – including dates of birth, phone numbers and home addresses – were not obtained.

It is understood that the information was accessed through a school network.

Compass Education, which is used by schools and teachers, confirmed it was not compromised in the breach.

“The usual flow of student information to third parties (including Compass) was paused while the matter was investigated,” a company spokesman said.

“We understand that the department is currently in the process of re-establishing these flows.”

There are more than 1500 primary, secondary, combined prep to year 12 schools and specialist government schools in Victoria.

Education Minister Ben Carroll said he expected the department and relevant authorities to take every measure to protect students’ data.

“Parents and students have been provided with information and guidance on how schools are managing the situation ahead of the return to school,” he said.

The department’s acting deputy secretary, Stacey Gabriel, wrote to school leaders on Wednesday and provided a letter for schools to send to families.

Gabriel also urged principals to contact families if they held serious concerns for their safety, adding that Victoria Police and domestic violence support service The Orange Door could also be called upon.

Family violence expert Professor Troy McEwan said that although it is likely only a small number of students were subject to serious non-contact orders in the state, the hack was nonetheless anxiety-provoking.

“It’s quite frightening for families to cut off contact with an abusive person and feel their information may be at risk,” the Swinburne academic said.

McEwan said it was important for people to carefully monitor the situation, but to be realistic.

“It’s really important to be realistic about the risk. It doesn’t mean people can find them at the moment, but that is a potential [risk],” she said.

A spokesperson from Safe and Equal, a body that specialises in family and gender-based violence, said it was essential that timely and clear updates are provided to impacted families.

“While the scale of this data breach was reportedly limited, even basic details like names, email addresses and schools can increase risks for victim-survivors and reveal information that has purposefully been kept from perpetrators for safety reasons.”

The spokesperson said any data breach involving children and young people was incredibly concerning, especially in the context of family violence.

Be the first to know when major news happens. Sign up for breaking news alerts on email or turn on notifications in the app.