Thousands of examiners’ personal details stolen in AQA cyber-attack
Tens of thousands of examiners have had their personal details hacked after the exam board AQA was victim to a cyber-attack.
Data relating to 64,000 current and former examiners stored on some of AQA’s online systems has been stolen by attackers, including examiners’ name, address, personal phone numbers, and passwords.
However the board stressed the systems attacked did not store any bank details, nor data belonging to schools or pupils, or exam material.
The Information Commissioner’s Office is now investigating the data breach.
None of this affects this summer’s exams
AQA said it was alerted to the attack on March 21 and took the affected systems offline immediately to fix security issues.
A spokesperson said “first indications” were that no data was stolen, however AQA discovered on April 6 – more than two weeks later – that some data had actually been accessed. It showed up as part of a “thorough forensic analysis” run by the exam board.
David Shaw, AQA’s chief information officer, said: “We’re really disappointed that this has happened despite our huge efforts to keep our systems secure, and we’re very sorry that our examiners have been affected.
“We’ll give them whatever support they need, and we’d like to reassure students and parents that none of this affects this summer’s exams.”
Data stolen included names and contact details, answers to security questions, and passwords for other online examiner systems – which are all now being reset.
AQA said it is contacting all examiners whose details have been taken, as well as reporting the attack to Ofqual and the ICO.
An ICO spokesperson said: “We’re aware of a potential data breach involving AQA Education and will be making enquiries.”
The spokesperson said the investigation will look at whether the exam board was following regulations outlined under the Data Protection Act. Any breaches could result in action ranging from a warning letter to a fine.
AQA told examiners it takes cyber security “very seriously” and has measures in place to protect everyone’s personal information. While the measures did not prevent the “malicious activity, it did help us limit the impact”, the board said.
The e-AQA system for schools and colleges was one of the sites taken offline as a precaution, but wasn’t part of the attack, AQA said.
It’s the latest cyber-attack to hit the education sector. Schools were warned in January to beware of scammers posing as government officials in a bid to illicit details and hold important computer files to ransom.
Action Fraud issued an alert following “numerous reports” of attempts to inflict ‘ransomware’ – which encrypts important files until a ransom is paid – on school computer systems using cold calling and confidence trickery.
Schools were told to avoid clicking on links or attachments from unsolicited emails or text messages, and not to pay extortion demands if attacked.