Ransomware attack on
Skinners’ Kent Academy Trust.
Guest blog by Karen Partridge, Chief Operating Officer, The Skinners’ Kent Academy Trust
Chief Operating Officer of the Skinners’ Kent Academy Trust, Karen Partridge shares their experience of a Ransomware attack to help schools and Trusts understand the ramifications of an attack and lessons learned.
The Skinners’ Kent Academy Trust (SKA) comprises of one 6FE secondary academy with sixth form c1100 students and 1 FE primary 210 pupils with 150 staff across the Trust. It has its own internal IT team of three who manage the infrastructure, hardware, software and provide helpdesk support and training to students and staff.
The Ransomware attack on Skinners’ Kent Academy Trust
The Trust were victims of a ransomware cyber-attack on 2 June 2021 (during half term week). It was suspected that the attackers had gained access to systems/servers via a phishing email sent to staff who opened an attachment. This occurred in March 2021 and allowed the attackers to escalate their access rights to administrator level and spend time in the system.
The attackers encrypted (thus preventing us from accessing any data that we had on our servers) all data including the Trust’s Management Information System (SIMS database) as well as backups. Backups were off site but online and used the same network and therefore became encrypted as well. The encryption used was fairly sophisticated ‘PYSA’ and no decryption keys were able to decrypt despite attempts via an external recovery company (Fast Data Recovery) there are obviously other suppliers available.
We had to react quickly and decisively:
- Disconnect our network from the internet
- Contact the police (which we later appreciated it should be Action Fraud)
- Call the Critical Incident Team (CIT) together
- Engage with the attackers to ascertain what they wanted (money, in fact it was bitcoin)
Keep staff connected when core systems are inaccesible
The Trust had an IT disaster recovery plan but this was based on the ability to restore from back-ups. A lesson learnt! Have plans that consider all risks and scenarios as far as practically able and ensure back-ups are off line and appropriate for your setting.
The CIT set about agreeing a communication strategy (who, what, when, how):
We also needed to ensure that the attackers were unable to continue to work within our environment, understand how they gained access and knowledge of how to prevent/mitigate future attacks. Crossword were appointed (other suppliers are available). DMS were appointed to support any rebuild of the network and on-going support.
Continue to manage safeguarding and emergency incidents
To give an understanding of the impact; SIMS data included all student info such as students name, UPN, home address, DoB, contact details, medical & dietary, parental contact details, timetables, attendance. For staff this was similar but additional info such as bank account, sort code, pay information and as with all academies/schools our Single Central Register (SCR) info which may have DL and passport info as proof and right to work in UK confirmation. Worth mentioning this would also cover Governors and other regular contractors such as cleaning or catering staff.
There was also years’ worth of finance, HR and admin work stored on our servers which was all encrypted e,g; ipad scheme (which would have held parental payment information), staff electronic files and template letters/contracts, student trip information (which potentially held student passport information).
The loss of all this data meant that SKA and SKPS re-opening after half term was delayed as neither Academy could open without basic student data to ensure the health, safety, welfare and safeguarding of students. For SKA the lack of timetables and ability to register students was a logistical and operational nightmare. We also had to consider impact on other systems such as biometrics and catering till operation, accounting system, Class Charts etc…
The attack happening during half term was also difficult as the majority of staff including the Principal, SKA and Headteacher, SKPS were on leave but of course contactable.
All that said, we had migrated to Office 365 in 2020 so our email was not affected, used cloud-based accounting system PSF so suppliers and a lot of our financial information was not affected and we had started using TEAMS at SKA due to remote learning and working during COVID lockdown so a lot of teachers resources were available. We had also recently introduced a software called Edulink at SKA and this enabled communications with parents. Not so for the primary as they were still operating very much on storing everything to the network but had a system called Class Dojo which allowed for communication.
We were able to deliver remote learning to SKA students for the 2-3 days after half term while we worked on recovery and data collection while our primary school was able to return to school as planned after their inset day.
Recovery has been a difficult and time- consuming process for the IT, data and support teams who have worked tirelessly since June 2021 and particularly during the summer break. We are still recovering and feeling the impact.
Capita SIMS worked with us to rebuild our database/MIS but we now use a hosted version and staff are using their Office One Drive, Sharepoint and TEAMs almost fully. A new network has been built with improved and strengthened security. All desktops and laptops were re-imaged and all students and staff issued with password re-sets and all recommendations from Crosswords forensic analysis report have been implemented as well as the NCSC cyber essentials guidance. Regular training for staff in phishing emails and monitoring of our network takes place.
teamSOS gathers and preserves evidence of steps taken
Summary and Lessons Learned
The Trust were victims of a Ransomware cyber-attack and had, what would be expected to be, adequate security and controls in place for an academy/school. Cyber-attacks can happen to anyone, anywhere, anytime and attackers do not care who you are or how it impacts. In the majority of cases they are after money.
There are lessons to be learnt here though:
- Understand what data you hold and what the impact of not having it is – undertake a Data Impact Assessment (DIA) your DPO may be able to assist with this
- Review your controls and backups
- Ensure backups are off line
- Use the NCSC cyber essentials as a checklist
- If you have an internal IT team make sure they have the skills and knowledge to properly monitor your systems and if not get them external help
- Train staff to be vigilant when opening emails, check where coming from and don’t blindly open an attachment, implement a phishing software to test staff regularly
- Ensure you have regular password re-sets and a policy
- Make sure the IT teams administrator passwords are secure and least privileged access is used
- Look to use more cloud- based systems
About the author
Karen Partridge is the Chief Operating Officer for the Skinners’ Kent Academy Trust. Karen wanted to share their experience of a Ransomware attack with other schools to help them understand the impact a Ransomware attack can have and lessons learnt by the Trust that may help schools prepare for an attack.
teamSOS is an on-call incident and emergency response app for schools and trusts. teamSOS is off-premise, ensuring your school or Trust can still communicate and manage any type of incident during your recover from a cyber attack by providing:
- A simple cyber incident reporting app for every member of staff
- Secure closed-response announcements to keep all staff updated and gather information quickly as a situation develops
- A comprehensive incident log, gathering and preserving evidence
- In-the-moment guidance, with customisable task lists to support your critical incident and cyber incident response plans
- Safe, secure messaging for use on personal devices aids business continuity when key systems or equipment are unavailable
- Drill mode to ensure preparedness and staff awareness helping refine your processes
- Incident ‘type’ tracking across your organisation and evidences your response
- Integration with leading safeguarding platforms to ensure you remain KCSIE compliant during a critical incident
teamSOS works across computers, mobiles, tablets and even clickable personal panic buttons that can attach to a lanyard.