Irish primary school data held to ransom in cyber attack

The case was revealed in the Data Protection Commissioner's annual report

Irish primary school data held to ransom in cyber attack

An archive illustration shows computer code on a screen in Cologne, Germany | Image: Oliver Berg/DPA/PA Images

The Data Protection Commissioner (DPC) has seen a fall in the number of data breaches reported.

During 2016, a total of 2,301 notifications were received - of which 77 cases were classified as nonbreaches.

A total of 2,224 valid breaches were recorded, which is a decrease from the 2,317 reported in 2015.

Source: Office of the Data Protection Commissioner

However, one such case of a breach came in October last year, in what was described as a 'crypto-ransomware attack' on a primary school.

The DPC says parts of the school's information systems were encrypted by a third party, and a ransom was demanded to release the encrypted files.

These files contained personal information - including names, dates of birth and Personal Public Service Numbers (PPSNs).

An assessment found that the school had deficiencies in measures to secure pupils' personal data, including:

  • No polices or procedures were in place to maintain adequate backups
  • No procedures or policy documents existed focusing on system attacks such as ransomware or viruses
  • No contracts with data processors (ICT services providers) were in place (as is required under Section 2C(3) of Data Protection Acts
  • A lack of staff training and awareness of the risks associated with opening unknown e-mail attachments or files

The report says recommendations were issued to the school that it take steps to reduce its risk and that several steps were taken to do so.

The Commissioner concluded: "This case demonstrates that schools, like any other organisation - commercial, public sector or private - operating electronic data-storage systems and interacting online must ensure that they have appropriate technical security and organisational measures in place to prevent loss of personal data, and to ensure that they can restore data in the event of crypto-ransomware attacks."

Source: Office of the Data Protection Commissioner

While 142 of the valid breaches last year were from the telecommunications sector - accounting for just over 6.3% of total cases reported.

The Commissioner says the highest category of data breaches reported involved unauthorised disclosures such as postal and electronic - the majority of which were in the financial sector.

 The report also notes that in 2016, the DPC finally launched its own Twitter account and that the office now has almost 100 staff, up from just 30 in 2013.

Read the full report here