Cyber Incident Victim: De Montfort School
Date:
Sep 2022
Location:
United Kingdom
Summary
A cyber attack targeting multiple UK schools, including De Montfort School, resulted in significant data theft and system disruptions. The Vice Society hacking group compromised IT infrastructure, stealing sensitive documents such as student SEN records, passport scans, staff contracts, and financial details, later leaking them on the dark web. The breach caused operational outages, forcing temporary communication workarounds and disrupting teaching resources reliant on platforms like Microsoft Teams. Affected institutions engaged cybersecurity specialists and law enforcement, with investigations confirming data exfiltration after initial assurances to the contrary. The incident highlighted sector-wide vulnerabilities, with threat actors exploiting educational institutions' limited cybersecurity resources to access highly personal and confidential information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident affecting De Montfort School was part of a broader campaign by the hacking group Vice Society, which targeted at least 14 UK schools and leaked highly confidential documents online. The attack occurred on or around September 28, 2022, when unauthorized third parties compromised the school's IT systems. This disruption led to immediate operational impacts, including downtime of critical infrastructure such as phone lines and Microsoft Teams-dependent teaching materials. While De Montfort School did not publicly disclose specific technical details of their breach, contemporaneous reports from similarly affected institutions like Pates Grammar School indicate that Vice Society employed generic search terms to exfiltrate data systematically. The stolen data included sensitive student records such as Special Educational Needs (SEN) information, passport scans from school trips dating back to 2011, staff employment contracts, payroll details, and internal documents related to bursary funds and leadership compensation.
Vice Society published the stolen data on its dark web site following an apparent failure to receive ransom payments, consistent with its established modus operandi of double-extortion attacks. The dark web leak exposed personally identifiable information of students, parents, and staff to criminal entities with the technical capability to access such platforms. De Montfort School declined to comment on the incident, but regulatory responses were initiated: The Information Commissioner's Office (ICO) and local law enforcement agencies confirmed investigations into the 2022 breaches. Impacted institutions like the School of Oriental and African Studies (SOAS), which experienced a parallel September 2022 attack by the same group, demonstrated typical response protocols—notifying affected individuals, engaging cybersecurity specialists for forensic analysis, and restoring critical systems while maintaining communication with authorities. The breach at De Montfort School underscored sector-wide vulnerabilities, with cybersecurity experts noting educational institutions' limited IT resources and high-value personal data making them frequent targets for financially motivated threat actors.