Cyber Incident Victim: AOA

In late May 2023, a cyberattack disrupted national end-of-year high school exams in Greece, setting a concerning international precedent. Shortly thereafter, during the exam season in England and Wales which runs between May 15 and June 27, a series of incidents impacted major British examination boards. The exam season typically sees a surge in attempts to sell fake exam papers online, but these particular incidents involved genuine data breaches. Police in Britain launched investigations into multiple incidents where national exam papers for school-leavers were stolen by hackers and subsequently sold online to students seeking to cheat on their tests. The incidents affected several key examination boards, including OCR, Pearson Edexcel, and AQA.

An initial incident involved the OCR and Pearson Edexcel exam boards. It is suspected that a hacker was able to access a school's internal email system. From this compromised position, the attacker then used the school's email system to request exam papers directly from the exam boards. This method of operation was first reported by Schools Week. The Cambridgeshire Constabulary confirmed they were investigating a data breach where these two examination boards had exam papers extracted from their systems and sold online. The police spokesperson stated that the investigation was still in its early stages and that the force was collaborating with the UK government and the National Crime Agency’s cybercrime unit. This collaboration indicates the serious nature of the breach and its potential implications for national education standards.

A separate but related cyber incident affected AQA, which is the largest exam board in Britain. This incident was confirmed over the weekend following the initial reports. Surrey Police took the lead on this investigation. A spokesperson for Surrey Police stated they were investigating an allegation of fraud and computer misuse involving a data breach at AQA, whose main office is based at the University of Surrey. The incident was reported to Surrey Police on June 16, 2023, which was toward the very end of the exam season. The exact date when the breach at AQA occurred was not publicly disclosed by authorities. Surrey Police also confirmed that no arrests had been made in connection with their investigation at that time.

The affected exam boards declined to comment on the incidents individually. Instead, they responded collectively through the Joint Council for Qualifications (JCQ). The JCQ issued a statement saying, "Exam boards have reported a small number of contained incidents of alleged fraud to the police." This collective response aimed to present a unified front and manage the public messaging around the breaches. The JCQ spokesperson further emphasized the seriousness with which the boards were treating the matter, stating, "As the police are actively investigating, it would not be appropriate for us to provide further information. As in any year, those found to have been involved in malpractice will face severe consequences." This statement served as a clear warning to students who may have participated in purchasing the stolen materials.

The main examinations targeted in these breaches were the GCSEs and A-Levels. GCSEs are typically taken by 16-year-olds at the end of their compulsory education in the UK. A-Levels are advanced qualifications that form a critical part of university entry requirements and are considered equivalent to Advanced Placement (AP) exams in the United States. The theft and sale of these papers threatened the integrity of these high-stakes national qualifications. The potential consequences for students were severe. Students who were found to have purchased the stolen exams faced the possibility of having their results disqualified. Furthermore, they could be banned from re-sitting the exams for a set period. This punishment would have significant real-world impacts, potentially causing students to miss out on their university placements and derailing their educational and career trajectories.

The investigation into these breaches was multifaceted, involving multiple police forces and national agencies. Cambridgeshire Constabulary investigated the breach involving OCR and Pearson Edexcel, while Surrey Police investigated the separate incident involving AQA. Both forces confirmed their investigations were ongoing and that they were treating the matters with urgency. The collaboration with the National Crime Agency’s cybercrime unit highlighted the technical nature of the intrusion and the need for specialized cyber forensic capabilities to trace the origin of the attacks and identify the perpetrators. The fact that no arrests had been announced by late June indicated the complexity of the investigations and the challenge of attributing such cyber-enabled fraud.

The primary impact of these incidents was the direct threat to the integrity of the national examination system. The theft and sale of genuine exam papers undermined the principle of fair and equal assessment for all students. It created an environment where students who cheated could gain an unfair advantage over their peers who prepared for the exams honestly. This posed a significant challenge for the exam boards and educational authorities in ensuring that the final results issued were legitimate and trustworthy. The reputational damage to the affected exam boards—OCR, Pearson Edexcel, and AQA—was another direct consequence, as it raised questions about the security of their systems and their processes for handling sensitive material.

The response actions were primarily led by law enforcement, with the exam boards deferring to the ongoing police investigations. The collective response through the JCQ was a key public relations and coordination effort. The exam boards themselves did not publicly disclose specific details about how their systems were breached, what specific security measures failed, or what immediate remedial actions they were taking to secure their systems against future attacks. The police statements provided the only official timeline, confirming that the AQA breach was reported on June 16 and that the investigations were in early stages as of late June 2023. The overarching goal of the response was to support the police investigations, maintain the integrity of the examination process, and deter further malpractice by promising severe consequences for anyone involved.