2026 has been a terrible year so far for cyber attacks on Australian schools.
In January, the Victorian government disclosed that every government school in the state was compromised by a cyber attack, and only a few months later, the Canvas breach impacted schools and student data around the country.
More recently, teachers and students at Reynella East College in South Australia had their passports and other personal information published to the darkweb by unscrupulous ransomware operators.
And that’s just one six-month period. However, it proves that schools are juicy targets for hackers looking to make a quick buck at the expense of critical workers like teachers and helpless schoolchildren.
“Schools are attractive targets because they hold highly sensitive data on children. As we saw with the Canvas breach, threat actors believe that student data creates emotional and reputational pressure,” Danny Jenkins, CEO and co-founder of cyber security firm ThreatLocker, told Cyber Daily.
“It is not simply a list of adult customers or business contacts. School data often includes information about children, grades, family challenges, and learning support needs.”
According to Jenkins, if a threat actor can disrupt a school’s systems, it can easily put pressure on the victims to pay a ransom or face lengthy delays to regular classes.
“In the United States, ransomware attacks have forced districts to temporarily close schools,” Jenkins said.
“Another example is the 2022 attack on the Los Angeles Unified School District, where sensitive student records, including deeply personal psychological evaluations, were stolen and later released after the district refused to pay. Attackers likely believed the highly sensitive nature of that data would ensure their payment.”
While many of this year’s school breaches have been third-party driven, individual actors are still targeting specific schools, such as Interlock’s attack on Reynella East College. Hackers like Interlock, Jenkins said, have a wide array of tools and techniques at their disposal to breach school networks.
“Interlock has been linked to social engineering techniques, including ClickFix-style attacks. The group has also been observed gaining initial access through drive-by downloads from compromised legitimate websites, which the FBI noted is a less common technique among ransomware groups,” Jenkins said.
“They have also been observed attempting to trick users into installing malware disguised as browser updates, which is a more traditional vector.”
Interlock, like many similar groups, is known to take its time during a ransomware attack, first conducting network reconnaissance and understanding how its victim works and what data is most useful to exfiltrate. In Interlock’s case, the data is not only stolen, but also encrypted in place, prompting the victim to pay a ransom not only to stop its data being published and shared with other cyber-criminals, but also to receive a decryptor to unlock the data.
And all while the threat actor maintains a high degree of stealth.
“One of the reasons these attacks can go undetected for so long is because the attackers deliberately blend into the environment as they identify valuable systems and sensitive data,” Jenkins said.
“Overall, schools are vulnerable to the same wide range of attack vectors as any other organisation, and every ransomware group has its preferred tactics. Some are on the simpler side, like ClickFix, others rely on traditional phishing, while more cutting-edge groups exploit vulnerabilities in third-party software.”
However, while the Reynella East College breach is no doubt devastating, it’s emblematic of a wider problem: despite the fact that schools hold reams of sensitive data, they’re often ill-equipped to secure it, and often short of resources.
“There's no single cause, but cost can be a factor, especially for public schools. When schools are strapped for funding, cyber security sometimes gets pushed aside as an IT expense rather than being recognised as a student safety issue,” Jenkins said.
“Another problem is the assumption that some schools are too small or too local to attract cyber-criminal attention. That is a dangerous misconception we see across all industries. Attackers often prefer smaller or less mature organisations because they may have fewer security controls.”
Even the most basic cyber hygiene measures can make a difference, even if – as appears to be the case with Reynella East College – but preventative controls matter, too, Jenkins said.
“For Australian schools, the advice in the Essential Eight is a good starting point and Zero Trust controls like application allowlisting, least privilege access, and segmenting systems that do not require cross-access are all important defences.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.