Cyber Incident Victim: St. Mary's Catholic Academy

In February 2018, it was discovered that hackers had breached the CCTV systems of St. Mary’s Catholic Academy in Blackpool and three other UK schools, streaming live footage of students and staff on a publicly accessible website. The US-registered site, which advertised live surveillance cameras across the UK, exposed eight cameras at St. Mary’s covering playgrounds, entrances, internal corridors, and views of the adjacent Christ The King Academy Primary School. Footage included children leaving classrooms, parents collecting infants, and older students and teachers moving between lessons. The breach occurred because the cameras lacked password protection, allowing unrestricted access to real-time feeds. The website hosting the streams claimed no active hacking took place, attributing the exposure solely to unsecured systems.

Upon discovery, St. Mary’s and Highfield (another affected school) immediately strengthened their passwords, removing their cameras from the illicit site. Jeremy Hartley of the Eric Wright Group, which managed CCTV systems for two impacted schools, confirmed that feeds were taken offline as soon as the breach was detected, with experts deployed to investigate the cause. The incident revealed broader vulnerabilities, as the same website hosted feeds from hundreds of unsecured cameras in other public spaces, businesses, and private homes. A Big Brother Watch report cited over 200 UK schools using cameras in toilets, though no evidence linked this practice directly to St. Mary’s. The Information Commissioner’s Office initiated an inquiry into the breaches, which compromised the privacy of 1,188 pupils at St. Mary’s and an unspecified number at other institutions. No further technical details about the attackers or long-term consequences were disclosed in available reports.