‘Another wake-up call’: experts weigh in on major student data breach

By EducationHQ News Team
Published 5 hours, 33 minutes ago

Experts have raised concerns about the implications of a major data breach which has seen hackers gain access to the personal data of an unknown number of current and past Victorian public school students.

Cybersafety expert Susan McLean has questioned why the Department had former students’ details on a live server.

It is believed the cyber attack occurred via a school’s network.

On Wednesday the Victorian Department of Education revealed that an ‘external third party’ had accessed all students’ names, email addresses, school names, year level and encrypted personal passwords.

Other personal data, such as students’ date of birth, phone number or home address had not been accessed, the Department noted.

There is no evidence as yet to suggest the data had been released publicly or shared with other third parties, but there is reported speculation that the incident occurred weeks ago.

In a statement, a spokesperson from the Department said it was working with cyber experts and government agencies to investigate the breach, as well as communicating with schools “to ensure this does not disrupt students when they start the 2026 school year”.

“The safety and privacy of students is our top priority, we have identified the point of the breach and have put safeguards in place, including the temporary disabling of systems to ensure no further data is able to be accessed,” they said.

The number of past and present students compromised by the breach is yet to be revealed, but technology journalist David Braue believes its potential magnitude could “put it among the worst such incidents”.

In an article published this week, he flagged that the Office of the Australian Information Commissioner (OAIC) had been notified of only six breaches affecting over 100,000 people in its latest half-yearly figures.

Even if the data accessed is not released publicly, it still has “considerable potential value” to cybercriminals, Braue warned.

“That’s because as they progress through school and beyond, today’s students will become bank account holders, credit card holders, car drivers and buyers, and home buyers – creating a baseline dataset that cybercriminals will steadily build on,” he explained.

“Over time, cross-referencing personal details with data from other breaches will fill out criminals’ profiles of the students, providing increasingly comprehensive data that could eventually expose compromised students to identity theft and carefully engineered scams.”

Opposition Leader Jess Wilson called the incident “deeply concerning” and said families needed “immediate answers”.

“…[Premier] Jacinta Allan must confirm how many students have been exposed, what sensitive information has been compromised and how this incident occurred,” Wilson added.

Commenting on the breach, cybersafety expert Susan McLean took to LinkedIn to pen a message of warning to education departments and school systems.

“It is common knowledge that education is a [weak] link in the cyber security eco system & provides easy pickings for hackers. This is another wake up call for Ed Departments & private & Catholic schools to get their systems sorted,” she wrote.

McLean has also said there could be legal ramifications for the Department under the privacy act, despite the breach being reported to the relevant government agencies.

She questioned why the Department had former students’ details on a live server.

Victorian Premier Jacinta Allan has been called on by Liberal leader Jess Wilson to confirm how many students have been exposed, what sensitive information has been compromised and how the breach occurred.

Braue suggested that recent OAIC figures indicate that many cybercriminals have turned away from targeting education, instead going after government, health and finance sectors, as well as professional organisations, which he says are better resourced and are more likely to pay ransoms to stop data being released.

Yet Associate Professor Hassan Asghar, a cybersecurity expert from Macquarie University, has warned schools are a target of cyberattacks because they had less stringent security measures compared to major companies’ networks.

“We have learnt from previous breaches that such data is usually used by hackers for follow-up attacks such as phishing or identity theft, or even sold on the dark web,” he told The Herald Sun.

“I think disabling access to the system and resetting passwords is definitely a good start. What more needs to be done depends on how the hackers gained access to the system.”

Rachel Drysdale, a mental health social worker, questioned why the Department was not held responsible for data breaches of this scale.

“…Why isn’t the Dept held to account for breaching our children’s privacy?! Surely, at a minimum, former students’ data should be offline in cold storage to prevent this sort of breach… @Julie Inman - Grant, what do you think?” she posed on LinkedIn.

In 2022, PNORS Technology Group - a company that had ties with the Department - was hacked, compromising the sensitive personal data of thousands of Victorian students and their families.

Data from the school entrant health questionnaire (SEHQ) was reported to be among the stolen information – a questionnaire completed by all parents whose child starts at a Victorian primary school, across all sectors.

Information spanning students' developmental and behavioural issues (including their emotional wellbeing), demographics, access to health services, plus family stress, alcohol or drug problems is provided as part of the questionnaire.

An investigation report published in 2024 found the attack was carried out by a threat actor using LockBit – a “Ransomware-as-a-service operation maintained by one cybercrime group, which then sells access to its ransomware tools to other individuals or groups, allowing them to carry out attacks”.

The Office of the Victorian Information Commissioner found that given the type of sensitive personal information involved, the data breach created a range of risks for those affected, including identity theft, fraud or other scams, as well as emotional distress.

“The prevalence of cyberattacks is increasing. For example, cyber criminals try to access Victorian government networks every 45 seconds.

“Protecting personal information requires that public sector organisations and their CSPs have appropriate measures in place to protect against cyberattacks,” the report warned.

The incident also illustrated the importance of destructing personal information that is no longer needed for any purpose.

“Holding more personal information than is necessary increases the risk and seriousness of a data breach.”