Cyber Incident Victim: Kimberley College
Date:
Jul 2022
Location:
United Kingdom
Summary
The Hive ransomware group breached a British educational trust's IT systems, exfiltrating sensitive student data including medical records and banking information, then demanded £500,000 citing the institution's cyber insurance policy. Threatening to publicly release the data unless paid, the attackers directly contacted parents while the trust engaged experts to rebuild systems and assess the breach's scope. Known for aggressive tactics primarily against healthcare and educational entities, Hive's attack underscores rising targeting of schools by cybercriminals leveraging stolen insurance details to pressure victims, with industry reports indicating variable data recovery success post-ransom payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Hive ransomware group targeted Wootton Academy Trust, which operates Wootton Upper School and Kimberley College in Bedfordshire, England, in late July 2022. Attackers breached the Trust’s IT systems, exfiltrating sensitive student and parent data including home addresses, banking information, and medical records. The group directly contacted affected families via a message threatening to publish the stolen data unless a £500,000 ransom was paid. Hive claimed to have accessed the Trust’s cyber insurance policy details during the breach, asserting the demanded amount matched the policy’s coverage limit. The message warned, "All of your child's private information will be online for everyone and for free" if negotiations failed.
Wootton Academy Trust’s executive principal, Michael Gleeson, notified parents in a public letter dated July 26, 2022, confirming the incident and ongoing forensic efforts to determine the scope of compromised data. The Trust engaged third-party specialists to rebuild IT infrastructure while investigating the breach. Hive, active since June 2021, was identified as the perpetrator—a group known for aggressively targeting healthcare and education sectors, having breached over 350 organizations within four months prior to this attack. The incident highlighted ransomware actors’ evolving tactics, including leveraging stolen insurance documents and directly pressuring victims’ stakeholders. School operations faced disruption due to system rebuilding, though the Trust did not disclose whether data was leaked or if a ransom was paid.