Australian schools are under siege from a global cast of hackers and criminals with an appetite for profit and very little in the way of care for who they may hurt along the way.
In September last year, Victoria’s Loyola College confirmed it was the victim of a cyber attack, losing an alleged 591 gigabytes of student and employee data.
Two months later, in November, Haileybury College – also in Victoria – said it too had been the target of a “malicious attempt to access our systems”, and then earlier this year, the news got even worse for Victorian students and teachers.
On 14 January, the Victorian Department of Education said an unauthorised third party breached a school’s network to access sensitive data belonging to all 1,700 state-run schools in the state.
Now, with school back for 2026, it’s the perfect time for network defenders in the sector to start afresh and buckle down for the year ahead.
School’s back (to hack)
“Back to school shouldn’t mean back to square one for security, but in Australia as in other parts of the world, there is a notable spike in risk when thousands of students return from a lengthy break and reconnect their personal devices to an educational institution’s network,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told Cyber Daily.
“After weeks offline, these devices often return unpatched, shared with family members, or even already compromised. This creates opportunities for malware or beaconing activity to wreak havoc on the network.”
According to Beek, student devices, in particular, should be considered “untrusted by default”, and network defenders should focus not on perimeter security, but on monitoring outbound traffic.
“Mandatory MFA for staff and administrative systems, clear separation between student and core services, and early detection of anomalous behaviour can dramatically reduce impact,” Beek said.
“As campuses reopen, the goal isn’t perfect prevention; it’s limiting blast radius and spotting trouble early.”
One of the challenges, however, in securing a school or campus network, as Cairo Malet – senior manager for advisory and assurance at Fujitsu – points out, is that they are designed to be as open as possible.
“But they hold a huge amount of valuable information, from student health records to important research,” Malet said.
“This makes them a prime target for cyber attacks. The biggest cyber threats to education are simple tricks like phishing emails that take advantage of human error.”
With that in mind, Malet recommends two essential things every school should do. Firstly, strengthen email security.
“Since most attacks start with a malicious email, improving your filtering is the single best technical investment for immediate risk reduction,” Malet said.
“It acts as a digital gatekeeper, reducing reliance on busy staff and students to spot every scam.”
The second step is to make security a daily habit, not an irregular chore relying on patchy training or audits.
“The most powerful, low-cost strategy is to build good security habits. This means equipping teachers to model secure behaviour and embedding simple security tips into daily routines,” Malet said.
“This turns your people from the biggest risk into your strongest line of defence.”
Why was the Victorian Department of Education so easily breached?
The fact that a hacker was able to compromise the entire Education Department of an Australian state should ring alarm bells for any educator, and as far as Jason Pearce, field chief technology officer, APJ at Claroty, is concerned, it really should.
“The recent cyber incident impacting Victoria’s Department of Education has been described as a ‘limited dataset’ breach,” Pearce said.
“From the information available, the incident reveals a far more alarming reality: the state’s education network appears to be suffering from a potentially catastrophic ‘flat network’ architecture.
“The most critical detail is not what was stolen, but where it was stolen from. It appears hackers utilised a vulnerability in a single-entry point to access a database covering every student in the state.”
In a properly zero-trust environment, this shouldn’t be even remotely possible, Pearce said.
“A breach at a single school should be contained to that school’s specific server instance. In a flat network, once there is a breach of the perimeter, there are no internal barriers preventing them from jumping to central databases,” Pearce said.
“In a properly segmented network, internal ‘firewalls’ would trap the attacker in the initial compromise zone.”
It’s also worth noting that there are many threat actors out there willing and waiting to take advantage of such flaws. While some groups aspire to a certain criminal nobility and will refrain from targeting sectors such as education and healthcare, there are many who see such sectors as prime targets for exploitation, as Beek points out.
“Qilin, SafePay, and INC Ransom have been the most active in attacking the education sector over the last six months. We’ve observed these same groups attacking the healthcare sector, so it stands to reason that we would see them in education as well,” Beek said.
“When education and healthcare data intersect, as we’ve seen with recent university-affiliated research centres, the risk increases even further.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.