The incident
The DfE cyber response team notified the school that their remote credentials were for sale on the dark web.
Actions taken
The school’s cyber plan was activated immediately, and all remote access was switched. This ensured anyone purchasing the credentials wouldn’t be able to access the school network.
The following day a police report was filed and school staff informed of actions they would need to take, including resetting usernames and passwords for themselves and pupils. During this, the school took the opportunity to update its secure password policy, increasing the number of characters and the complexity required.
When contacted, the RPA cyber supplier arranged a meeting with the school to determine actions. As well as setting tasks such as investigating high-risk areas and common issues with hacks, they instructed the school to install Crowdstrike software on servers. This detected risks unrelated to the cyber incident, such as software in network management that was a potential risk to the school.
The school also contacted their external filtering service, Barracuda, to check activity and make sure their back-ups were secure. The RPA cyber supplier then performed several checks and scrutinised copies of the hard drives.
Parents were communicated with during the incident through templates created as part of the cyber response plan. These also had input from the school’s own external Data Protection Officer.
Making a claim
The school assumed that the initial email from the DfE cyber team flagging the incident would automatically start the claim process, not realising it was a separate team to the RPA.
However, the school quickly contacted the RPA to make a claim using the cyber response form provided. Following this, RPA initiated the contact and the investigation began.
Clare’s advice for others
Going forward, further security measures are being implemented as suggested by the RPA cyber supplier. The incident would have cost in the region of £45,000 had the school not been an RPA member.
Reflecting on the incident, Clare provides her advice on being prepared:
1. Have support in place
"What was a very stressful time - where potentially we could have lost everything, The RPA cyber supplier kept us grounded and their support helped us to get through it. We felt we were in safe hands and had their full support."
2. Have a smooth process to follow
"Most staff were unaware of the incident due to the actions put in place which is a credit to the school team, the RPA team and the RPA cyber supplier.
Without the RPA cyber supplier we would not have known where we were at that point. We have the reassurance of knowing that we have done as much as we possibly could do and the expertise they brought was invaluable."