The 600GB of stolen data allegedly contained passport scans, passwords and usernames, family contact details, sensitive financial documents and more – and that data’s now been dumped on the dark web.
The attack is another example of the concerning year-on-year rise in instances followed a major attack on learning platform Canvas, which affected millions of students and staff in universities and government schools.
In a recent survey of independent schools, cyber risk was the highest-ranked concern among respondents, reflecting schools’ growing reliance on digital systems across teaching, administration, communications and finance.
One-in-four schools reported experiencing a cyber incident, up from one in five in 2024. In response, 76 percent of schools report having preventative cyber measures in place, up from 66 per cent in 2024, highlighting a stronger focus on preparedness.
Yet with massive databases of sensitive personal and financial information, and minimal cybersecurity budgets, schools should be worried.
“If we wind back the clock five years or more, there was a bit of a, dare I call it, ‘moral code’ amongst the cyber criminals,” Andrew Philp, Trend Micro’s Australian and New Zealand Chief Information Security Officer (CISO), says.
“They were much less likely to go after institutions like schools, not-for-profits, hospitals, those sorts of places – but that seeming moral code, or those seeming etiquettes, have disappeared now. They’ll go after anyone that’s a vulnerable target.”
Previously, cyber hackers would encrypt your computer and ask for $150; these days typically, they want hundreds of thousands to millions of dollars, depending on the size of the school or organisation.
Trend Micro is a cyber security software company providing threat intelligence and services, and as CISO, Philp helps service provider partners to deliver tools that help to secure schools.

Schools are realising more and more that they need to educate their staff and students and phishing simulations are becoming more of a focus, but this is probably at a slower rate than other industries, cyber security expert Andrew Philp says.
He says principals and school leaders need to prioritise multi-factor authentication, good password hygiene, and the segmenting of critical data.
“If you’re hosting student confidential information, to the best of your ability, make sure that very limited people can access that,” he shares.
“We call it ‘zero trust’, which ensures that if someone in the environment gets compromised, they can’t access those resources. That’s locked away to just a few people. That can limit your exposure a lot.”
Philp says there are a range of tools available to schools from user-trusted partners and sources that can be used to carry out a risk assessment on the environment.
“And then it’s a matter of actually looking at the areas specific to that school that need to be improved, because often it’s those things that these threat actors will exploit to be able to get in.”
He says insidiously, the data stolen by entities like The Interlock often include an organisation’s financials as well, and they either use AI or their own internal expertise to analyse financial records and work out how much that organisation can afford to pay.
“They’ll also look for cyber insurance policies if they take out that data as well, and look for things like incident response plans.
“So before they’ve even made a first contact to the customer, they will have already understood what their incident response plan says, how much money they’ve got in the bank, and what their insurance says. So they’ve got a good idea of what can be paid.
“And their hope is that they can set a reasonable amount and it will get paid if a thing goes public – because of course, once things go public, it’s a lot more difficult for the organisation to make a payment and keep it quiet.”
So how can schools have any faith that they’re not going to release their data?
“It’s actually very much like Airbnb or any of these services that we consume daily,” Philp shares.
“It’s based on reputation. So they will show you the data, they’ll give you what would, in a kidnapping situation, be the proof of life. They’ll show you that they’ve got the data and then their reputation relies on them following through on what they say.”
Philp says there’s logic to why so many schools are slow on the uptake in terms of implementing stronger access controls – things like multi-factor authentication, tighter identity management and encryption.
Ultimately it comes down to two things according to Philp – complexity, and funding.
“Schools have a very complex environment to deal with. A school might have 100 teachers, but be servicing 3000 users because of all the students and staff that need to access that system.
“So they’re running a system that’s as complex as a larger organisation, but with lower staff and a lower budget to run it.”
The system also needs to be easy for students to access.
“You can’t have your student come home and not be able to access their homework,” Philp says.
“Complex Multi-Factor Authentication (MFA) for students is very difficult because students don’t necessarily have mobile devices to do MFA on. There’s a lot of complexity involved, so it’s not as simple as 'we can turn all of these things on straight away'.”
Funding models are naturally based on delivering the best education outcomes possible, which means things like cyber security are a secondary consideration and keeping things up to date can be nigh on impossible.
“I hope that events like this [cyber attack in Adelaide] encourage schools to prioritise that and fund those things appropriately,” Philp says.
So does the responsibility for beefing up protections lie with policy, with government, or schools and sector leaders?
An audit report by the NSW Auditor General, covered this week by EducationHQ, has revealed that school principals are left to their own judgement when it comes to protecting the security and privacy of student information.
While school leaders take responsibility for selecting the operating systems used to store and process student information, control settings for staff access to it, and manage records and sensitive information, the report warns these obligations require ‘complex technical and legal knowledge and skills’ which principals might not have.
So, as in most states and territories, while principals are provided with general policies, training and central supports to aid them, the NSW Department does not offer a consolidated resource on the specific student information risks they need to manage, nor monitor how they carry out this work in practice.
“I think ultimately the responsibility has to lie with the individual school,” Philp concedes.
“Depending on how different models work, sometimes there’s support for that, sometimes the state-based education department might support some of those systems and provide some of those things as shared services.
“Ultimately, however, every individual school still has to look at what it is collecting, what it’s storing, how it’s storing it and just making sure that it’s doing a proper risk assessment and understanding, are the appropriate controls in place to look after that?”