Scottish Council Admits Ransomware Crooks Stole School Data

Scotland’s West Lothian Council has confirmed that data was stolen from its education network after the Interlock ransomware group claimed responsibility for the intrusion earlier this month.

The local authority, governing a region bordering Edinburgh, originally said there was no evidence to suggest that data had been taken when it first disclosed the attack on May 6.

After Interlock posted what it claims is a trove of data belonging to the council this week, the authority confirmed late on Wednesday “that a small percentage of the overall data stored on the education network has been stolen.”

The council acknowledged the data includes personal and sensitive data.

It’s unclear if data belonging to children is among the terabytes Interlock claims to have stolen, although a cursory look at the ransomware group’s website shows teachers, parents, and guardians all had their data leaked in some way.

Through a non-exhaustive scan of the files, The Register found no evidence of student data being included in the leaks, and the council said confidential pupil records are stored on different systems and are therefore unaffected.

Financial data and bank details of payments made to schools, social work records, and corporate data such as council tax information, housing inquiries, and others, are also unaffected, according to the council.

Letters sent between schools, parents, and councillors discussing various matters concerning their children, such as their extra time allowance in exams, the amount of homework given, and their school attendance, however, were available via Interlock’s blog.

The Register also saw instances of scanned identification documents such as driving licenses and passports.

The council said the attack had minimal impact on the delivery of education and SQA exams, which are ongoing until June, but it is still working to understand the full extent of the attack.

A spokesperson told The Register: “Only a small amount of the overall data held on our education servers was stolen, and the majority of information held on them relates to operational issues for schools, such as lesson plans, that do not contain any personal details.

“We are aware that some personal or sensitive data is among the information stolen by criminals.

“Risk assessment has been carried out on any potential child protection issues at each of the schools affected, and appropriate action already taken if required.”

The council described the incident as a “sophisticated ransomware cyberattack,” and it’s working with Police Scotland and the Scottish Government to investigate it.

It is also in the process of contacting parents and carers at every school in West Lothian directly to inform them of the situation and provide advice on what to look out for and how to protect themselves after a data theft.

If they haven’t already, parents and carers will be advised to remain vigilant to the possibility that their stolen data could be used to target them by scammers or in phishing attacks.

Citing the “increasing number of cyberattacks affecting a range of businesses and organizations,” West Lothian Council also suggested affected individuals change their passwords, ensuring they’re strong and unique for each system.

Parents and carers were also asked not to contact their children’s schools or the council’s customer services lines as neither have any more details than what was already provided to them.

The council said: “We would like to offer our sincere apologies to anyone potentially affected by this criminal cyberattack.”

It added: “Contingency arrangements for schools working well will continue until the end of the current school term.”

Public sector organizations have taken a hammering from ransomware crooks in the past year, either by being targeted directly or being affected by attacks on third parties.

Just over a year ago, England’s Leicester City Council lost control of its “misbehaving” streetlights after it was attacked by criminals working for INC ransomware.

Chester’s Blacon High School was forced to shut its doors and resort to remote learning in January after a mystery ransomware group targeted its systems just two days after Gateshead Council confirmed a Medusa attack.

And that’s not mentioning the myriad attacks on the UK’s National Health Service, which have ranged from highly disruptive hits on pathology providers to major children’s hospitals.

This all preceded the UK’s latest effort to scupper the ransomware business model, which involved consulting on new legislative proposals to ban ransom payments in the public sector.

The idea of banning ransom payments remains polarizing for the cybersecurity industry, but the idea behind a payment ban would be to disincentivize attacks on public services, since they couldn’t legally pay a ransom.

Banning payments in the public sector was one of three key proposals, which also suggested implementing a mandatory ransomware reporting regime and requiring non-public sector organizations to apply for government permission to pay ransoms.

The consultation on these proposals ended in April, and the results have not yet been published, although public responses have expressed broad support, if not for a few suggested tweaks. ®

Original Source