Recent Cyber-Attack On Council’s: The Impact On Privacy Within Education Explained

By Myles Dacres

Several schools across Bristol have been left without access to their computers and essential personal data – after being targeted by cybercriminals. A spokesperson for Castle School Education Trust and South Gloucestershire Council said: “23 schools in South Gloucestershire have been affected by a ransomware attack that took place on Tuesday (16 March 2021) morning”.

A number of primary schools and secondary schools come under the trust including Marlwood and Mangotsfield secondary schools; Charfield, Severn Beach and Lyde Green primary schools and Downend School. Once the cyber-attack had taken place, none of the 23 schools had access to any of their IT systems resulting in all online sessions being cancelled and sensitive information and data relating to underage children being exposed.

Ransomware is a type of malicious software cybercriminals use to block people from accessing their own data. The digital extortionists encrypt the files on computer systems and add extensions to the attacked data and hold it “hostage” until the demanded ransom is paid. This was a highly sophisticated attack that breached multiple layers of protection of the IT system shared by schools in Castle School Education Trust (CSET) and partner primary schools in South Gloucestershire.

Lessons learnt from the recent attack

On the 19th May we will be hosting a session on the Lessons Learnt From Recent Cyber Attacks on CSET.

Our Director Phil Brining will be joined by 3 well-known names in the world of Data Protection to discuss what could have been done to prevent these attacks and what lessons we can take with us into the future to ensure something like this doesn’t happen to other organisations, or where it does we can help schools get up and running again.

Here are a few ways to prevent potential cyber-attacks:

  • Up-to-date Security Software.
  • Software and personal data management
  • Regular Risk Assessments.
  • Encryption and data backup.
  • Staff training and awareness.
  • Ensure vendors and partners maintain high data protection standards.
  • Specialist Data Security Evaluations.

During our session we will discuss some of the areas above and how they could potentially save your organisation from cyber-attacks, security breaches and loss of personal data.

Guest Speakers

Rowenna Fielding
Data Protection Consultant
Miss IG Geek

Rowenna Fielding is a nerd whose obsessive tendencies have served her well in building a career; first as an information security specialist then an advisor on data protection. Over the 10+ years since switching fields, Rowenna has been helping to bring data protection law to life in commercial and voluntary sector organisations, from in-house and more recently; as a consultant. In 2020, Rowenna established her own company, Miss IG Geek Ltd; providing advice, support, training and guidance on data protection and eprivacy. If she won the Lottery, Rowenna would carry on working in data protection, because its intersection of technology, social order and human rights is just too interesting to miss out on, even if it is a bit of an uphill struggle most of the time.

Tony Sheppard
Presales Consultant
NetSupport

Tony Sheppard has a broad range of experience from play leadership, sports coaching, EdTech, school leadership and information governance. He has long been a contributor of guidance to schools on data protection and information management, through Becta, Northamptonshire County Council, communities such as EduGeek.net and PrivTech Nation. As the former Head of Services at GDPR in Schools, Tony supported the creation of the DfE’s GDPR Toolkit for Schools and continues to drive school collaboration by the Data Protection Working Group’s website Education Data Matters (https://www.educationdatamatters.org.uk). Tony has recently joined NetSupport as a consultant, working with schools and organisation as they make decisions on how to implement the wide range of IT and Classroom Management tools. Tony is also the founder and principal consultant for My Data Protection World, providing guidance to companies and their customers on suitable technology, and the privacy, data protection and security needs involved. Tony continues to contribute to Information Governance in schools as a contributor to the IRMS Toolkits, via ICO workshops and through advocacy groups, and has just launched an Open-Source project to support the creation of readable Data Processing Agreements between EdTech vendors and schools.

Sarah Harriott
Corporate Governance Solicitor

Coventry City council

Sarah specialises in providing legal advice to Coventry City Council in matters of Data Protection, FOIA and EIR.  She also advises on wider matters of corporate governance. Sarah’s background is in civil litigation and she has transferred these skills to providing advice to the Council by being able to help them interpret the relevant legislation and case law and ensure they meet their data protection obligations.

Joining Information
Time: 12:30-13:30
Date: 19/05/21
Location: MS Teams

If you would like to join this session, please get in touch with [email protected] for a calendar invite.

If you would like to get involved with future events or if you are interested in presenting in partnership with Data Protection People, please contact [email protected]


 

Contact Us

Send us a Message









Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
PCI DSS
ISO27001/27701
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System
Other

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


IMPORTANT INFORMATION

We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

Data Protection People Limited – March 2021