Cyber Incident Victim: Carmel College

The cyber incident affecting Carmel College occurred as part of a broader campaign by the Vice Society hacking group targeting educational institutions in the UK and USA during 2022. On September 28, 2022, concurrent with attacks on other schools like Pates Grammar School, Carmel College experienced unauthorized access to its IT systems that disrupted operations. The attackers exfiltrated sensitive data including confidential student records, staff contracts, and financial documents. This breach followed Vice Society's established pattern of stealing data and demanding ransom payments before leaking information on dark web portals inaccessible through conventional browsers. The group utilized generic search terms to identify and extract folders containing passport scans of students and parents from school trips dating back to 2011, staff salary details, and records of student bursary recipients.

Carmel College's compromised data appeared on Vice Society's dark web leak site alongside materials from 13 other institutions, including the School of Oriental and African Studies which confirmed its September 2022 breach involving 18,680 files. While the college did not publicly disclose its response timeline, affected organizations typically followed containment protocols including forensic investigations, system restoration, and notifications to regulatory authorities. The Information Commissioner's Office and local law enforcement agencies investigated the breaches. Operational impacts included temporary IT system outages that forced schools to implement alternative communication channels like temporary Gmail accounts. Data exposure risks encompassed identity theft vectors through passport details and potential reputational damage from leaked staff compensation and student support records. Restoration efforts focused on rebuilding secured systems while cybersecurity specialists conducted damage assessments to determine full breach scope.