Many schools are unsure of what to do when they discover unauthorised access to their computer systems – which can include students’ Facebook pranks. But all cyber crime should be reported to the right agencies — and often the police — says Jess Staufenberg in the final of her six-part series on computers in schools
Hacking has made the headlines this year. After a string of high-profile cases such as TalkTalk, the telecoms group, and Ashley Madison, the online dating site, education joined the list this week when education network Jisc was hacked, leaving many institutions without an internet connection for several days.
Aside from crippled services, the worst outcome is the exposure of students’ personal data. Just how easy that can be was demonstrated last month when a cyber attack on toy manufacturers V-Tech revealed six million children’s identities.
“Attacks happen more than statistics show”
Experts say that smaller attacks are happening more than official statistics show. Hacking is defined as “unauthorised access to a computer”. This may extend further than you expect. Under the Computer Misuse Act 1990, even a student who knowingly goes into another student’s Facebook page without their permission has “unauthorised access” and is, strictly speaking, acting illegally. These incidents are almost never reported. Where hacking is reported, it is mostly because of a personal data breach. Of the 116 data breaches in education institutions over the past year reported to the Information Commissioner’s Office (ICO), about a quarter (21) resulted from “cyber attack or IT failure”, “unauthorised access” and “data theft”. And these are probably only a fraction of incidents in schools every day.
Several other issues surround hacking in the education sector. First, school computer systems have particular vulnerabilities to “unauthorised access”, according to Action Fraud, the UK’s national internet crime reporting centre and the organisation to whom schools are supposed to report all cyber crime.
Steve Proffitt, Action Fraud’s deputy head, told Schools Week that school’s wi-fi systems and large budgets make them attractive to hackers. “Most schools have a wi-fi network. That’s very, very susceptible to cyber crime,” he says. “All your pupils are going to get access to the wi-fi, so the chances of someone having access to it outside are large. A white van could just sit outside listening in.”
Remote-dial telephone systems are also vulnerable. Action Fraud has known of schools returning from holidays to a £100,000 bill after a hacker, having cracked the password security, used its multiple lines to dial a premium rate abroad while reaping the 30p a minute charge. The school must pay the bill since the telephone company holds them responsible for failing to change their passwords often enough.
A student hacked the systems of Bay House School in Hampshire three years ago. Having cracked a staff member’s password, he tried it across other administrative systems and found it worked – making him privy to 20,000 individuals’ information, including the medical information on 7,600 pupils, according to The Guardian.
The school’s advice for staff to “avoid” repeating passwords across sites was found to have been inadequately enforced. “Schools are just not aware of all the ways they can be attacked,” Proffitt says.
Not only are schools fairly vulnerable, but not many know where to report non-data related incidents.
“Schools should be reporting any unauthorised access to us, so we can work with the police to act and so it can be recorded,” Proffitt says. “They are not obliged and we can’t make them, but these are criminal offences and we would like everybody to start reporting.”
Schools we spoke to typically knew that data breaches should be reported to the ICO and police, but not that cyber crime of any kind, including the whole spectrum of unauthorised access (such as Facebook pranks), should be separately reported to Action Fraud.
Ken Corish, online safety manager at the South West Grid for Learning (SWGfL) remembers an incident at a school hacked by two students of a neighbouring school, in which the IT coordinator contacted SWGfL through the local authority.
“The school asked what they should do. This did surprise me,” Corish says. “They were not sure whether to involve the police. We advised that it was a criminal act, and they should not only seek advice from the local police but also inform the ICO of a potential data breach.”
He says that because schools do not always know who they report different kinds of hacking incident to, there is a “lack of metrics”.
Schools may understandably be reluctant to incriminate young people, but Action Fraud says reports of cyber crime are not always followed by criminal charges. Indeed, prosecuting hackers can be difficult because of the emphasis on “intent” within the Computer Misuse Act. Prosecutors must prove that the person knowingly accessed a computer device without authority. And even where that is proven, others have said the ICO remains too lenient in the punishments they then mete out.
Jen Persson, founder of pupil data protection group Defend Digital Me, says the TalkTalk hack, which affected 157,000 customers, was a worrying example of ICO inefficacy. “One reason TalkTalk horrified data privacy experts is because they repeatedly failed to improve their system security even after the Information Commissioner’s intervention,” she says. “This shows that our data protection penalties are too lenient, if they do not act as a reason for a company to improve their practices.”
At Bay House School, the headteacher signed up to a set of measures and had to undergo an annual “penetration test” by hacking experts. The ICO handed out no fine or further punishment, despite the exposure of pupils’ medical information.
Students do not seem especially aware of the illegality of hacking – with much internet education focusing on behaviour rather than criminality. Corrienne Peasgood, principal of City College Norwich, says students are taught extensively about cyber bullying and e-safety, but “not necessarily” about hacking and the 1990 Act. Instead, staff take it upon themselves to keep everyone compliant. “We have to be clued up on it, and our relationship with the police helps with that,” she says.
Action Fraud and the National Association of Data Protection and Freedom of Information Officers have both called for better education of students on what constitutes “unauthorised access”.
But educating pupils isn’t a failsafe guard against hacking. Jon Pollitt, the IT services director for City College’s Norfolk-based group, said its academies, primary school and technical college were all recently affected by the attack on Jisc (formerly the Joint Information Systems Committee), resulting in almost no access to emails or internet for at least a day last week.
He says the Jisc case highlights a key problem of how schools are able to protect themselves. Technological support was once provided by Jisc itself, but the organisation has shrunk. “Jisc has been cut so badly, it’s of very little use to us any more,” he says. “Most of us are quite unhappy. Jisc is the only one that was left, the sole supporting body.”
If schools can educate their students on the Computer Misuse Act, they may be able to prevent curious teenagers taking risks in-house.
For other kinds of attacks, meanwhile, school leaders could look beyond the panic of personal data breaches to the rainbow spectrum of hacking possibilities, and ensure these too are reported. Action Fraud and the ICO can then build a more accurate picture of cyber crime in the education sector. Fail, and there will be no one stepping in to the gap.