Cyber Incident Victim: Royal Grammar School, Newcastle

On December 29, 2018, Newcastle's Royal Grammar School experienced a cyber incident involving unauthorized access to its email systems, specifically compromising the account of the school bursar responsible for fee collections. Attackers used this access to send fraudulent emails to parents, falsely offering a 25% discount on school fees for immediate payment via Bitcoin cryptocurrency. The emails contained spelling, grammatical, and punctuation errors, potentially indicating their malicious origin. The school's headmaster, John Fern, subsequently notified parents about the "sophisticated attack," clarifying that the institution would never solicit payments or bank details through such methods. While no financial data was accessed, the attackers obtained parents' email addresses, constituting a potential breach of personal data under GDPR regulations.

The school promptly reported the incident to law enforcement and initiated contact with the Information Commissioner's Office (ICO) to comply with mandatory data breach reporting requirements. Internal investigations were conducted in collaboration with iSAMS, the provider of the school's email systems, to determine the extent of the compromise and identify vulnerabilities. The ICO confirmed awareness of similar phishing attacks targeting other schools but declined to specify the number of affected institutions. Newcastle's Royal Grammar School issued a formal apology to parents for the disruption and reaffirmed its commitment to securing personal data, while emphasizing that no financial losses occurred due to the scam. The ICO continued assessing the incident as part of its broader investigation into education-sector phishing campaigns at the time of reporting.