MAT falls victim to data leak after $8m ransom demand

Cyberattack on Harris cost academy trust more than £500K despite it standing firm against Russian hackers' calls for cash

Amy Gibbons

Cyber security

Data from one of England's most prominent academy chains has been published on the "dark web" after it refused to pay a ransom to hackers who at one point demanded $8 million, it has been revealed.

The Harris Federation, which is responsible for 38,000 pupils across 50 primary and secondary academies in London and Essex, fell victim to a cyberattack in March, when criminals accessed and encrypted, or hid, contents from its IT systems.

Now details have emerged of just how much money was being demanded and how the trust decided to deal with it. 

Russian-based hackers initially demanded $4 million from the trust in exchange for restoring access to "important financial files", as well as "bank statements, credit card details, and information relating to staff", compromising all 50 of its schools, according to a BBC Radio 4 File on 4 report verified by Harris.

Background: 'Sophisticated' cyber attack hits major academy chain

Exclusive: Schools warned of 'increasing' cyber attacks

Warning: Schools urged to act after Microsoft breach

The gang also stole copies of the trust's files and threatened to sell them online, the BBC said.

Sir Daniel Moynihan, Harris' chief executive, said: "They have like a web page on the dark web where people can have conversations with them. And they'd indicated that they wanted $4 million in cryptocurrency.

"It struck me as completely insane. I mean, we are a group of schools operating in disadvantaged and challenging circumstances for students from low incomes. Why would anybody want to take or think it's appropriate to take money from youngsters in that situation?

"We're about turning around failing schools and changing lives. It struck me as utterly, utterly nuts."

The programme reported that the hackers had threatened to release "personal data" on the "dark web". The trust also faced a headache from the temporary loss of crucial education files such as students' coursework.

Ciara Warnock, principal of Harris Academy Beckenham, said: "That was probably, I think, for our Year 11 and 13 students, the biggest anxiety they had and probably one of our biggest priorities because that affected the teacher-assessed grades that needed to be submitted to the exam board."

Initially, the trust attempted to seek help from firms recommended by the National Cyber Security Centre.

"We went on [the centre's] website, and our IT director saw that there were a series of firms recommended that could help you with this stuff," Sir Daniel said. 

"He contacted all of those firms on the Saturday. None of them could take us on – they were all at capacity with workload and they had no capacity to take us."

Harris went on to enlist help from a cybersecurity company based in Israel, which assessed the damage to the trust's systems while negotiations got underway with the hackers.

But when no progress was made, the gang's demand doubled to $8 million.

Communications cited by the BBC indicated that a negotiator posing as a school manager offered $750,000 as a means to stall the hackers.

This gave the Israeli-based company time to plug any further vulnerabilities in the trust's systems to protect its remaining data.

The hackers offered $3 million as a compromise. But Sir Daniel said Harris never intended to pay the ransom.

"It was clear to us from the beginning that we weren't going to pay this one because the money we have is for children in London, and publishing the data could cause us embarrassment, it could cause a safeguarding issue, which is not good, it could put staff identity at risk," he said.

"But for us, there was no guarantee if we paid we could be sure that actually we'd get our data back."

When Harris refused to pay, the BBC said data from its schools was released on the dark web.

Tes asked the trust what kind of information was compromised, but it gave no further details.

Harris said it was correct that the hackers had obtained credit card information, but the trust cancelled the cards as soon as the attack happened – meaning no money was stolen.

While the ransom was never paid, Sir Daniel said the attack cost the trust upwards of £500,000, as it had to scan all of its laptops and ask IT staff to work overtime.

"We've got over 40,000 devices – they all had to be scanned to see if they were clean or carrying the virus, so we needed to buy in IT staff who were qualified to do this from an agency," he said.

"And then we had other costs such as paying overtime to people – our IT technicians, they worked seven days a week for five weeks.

"The overall bill was in excess of half a million pounds."

The trust is hoping to recover most of this cash back through insurance.


Register to continue reading for free

It only takes a moment and you'll get access to more news, plus courses, jobs and teaching resources tailored to you

Amy Gibbons

Amy Gibbons

Amy Gibbons is a reporter at Tes

Find me on Twitter @tweetsbyames

Latest stories