Cyber Incident Victim: St. Paul's Catholic College
Date:
Sep 2022
Location:
United Kingdom
Summary
A cyberattack targeting St Pauls Catholic College and multiple other UK schools resulted in the theft and dark web leak of highly sensitive data, including students' special educational needs information, passport scans, staff contracts, and financial records. The Vice Society hacking group, known for extorting educational institutions, compromised the school's IT systems, causing operational disruptions that forced temporary reliance on alternative communication channels. While initial assessments suggested no data theft, subsequent investigations confirmed unauthorized access and publication of confidential files. The incident prompted collaboration with cybersecurity specialists, system restoration efforts, and notifications to regulatory authorities and affected individuals, reflecting a broader pattern of attacks exploiting under-resourced sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
St Pauls Catholic College in Sunbury-on-Thames was among 14 UK educational institutions compromised in a cyber attack by the hacking group Vice Society, with data leaked on the dark web. The incident occurred on or around September 28, 2022, consistent with attacks on other listed schools like the School of Oriental and African Studies, which confirmed a September 2022 breach. Vice Society exfiltrated highly sensitive data including children's special educational needs (SEN) information, child passport scans, staff pay scales, and contract details. The group employed broad search terms to harvest documents, as evidenced by folders labeled "passports," "contract," and "confidential" containing decade-old pupil passport scans for school trips, staff contractual offers, headmaster salary details, and student bursary recipient lists. Operational impacts included IT system and phone line outages, forcing the college to establish temporary Gmail accounts for parent communications. Like Pates Grammar School—which experienced identical folder structures and data types in its breach—St Pauls Catholic College likely faced teaching disruptions due to reliance on compromised platforms such as Microsoft Teams.
The attackers published stolen data on the dark web after ransom demands went unmet, following Vice Society's established pattern of targeting under-resourced educational institutions. Confirmed consequences included exposure of minors' passport scans, staff salary information, and sensitive student support records. St Pauls Catholic College coordinated with cybersecurity specialists and forensic investigators to restore systems, mitigate disruptions, and assess the breach scope. Authorities including the Information Commissioner's Office and local police initiated investigations into the incident. The college followed standard incident response protocols by notifying regulatory bodies and prioritizing system recovery, though no public statements from St Pauls were detailed in available sources. Affected individuals across multiple institutions received direct notifications and support offers, as demonstrated by the School of Oriental and African Studies' handling of its 18,680 leaked files. The breach highlighted systemic vulnerabilities in education sector cybersecurity, with attackers exploiting limited IT resources to access long-retained sensitive data.