Cyber Incident Victim: OCR
Date:
Jun 2023
Location:
United Kingdom
Summary
A cybersecurity incident involved the unauthorized access and theft of national exam papers from the OCR and other British exam boards. The stolen materials were subsequently sold online to students seeking to cheat. The incident, which utilized a school's internal email system to request the papers, prompted investigations by multiple police forces. Students found to have purchased the stolen exams risk having their results disqualified and face potential bans from retaking exams, impacting university placements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 16, 2023, Surrey Police confirmed they were investigating an allegation of fraud and computer misuse involving a data breach at the AQA examination board, whose main office is based at the University of Surrey. The incident was reported to the police on that date, which fell toward the very end of the exam season running between May 15 and June 27, although the exact timing of the breach itself was not made clear. This incident was part of a broader series of hacks targeting multiple British exam boards, including OCR and Pearson Edexcel, which prompted investigations by law enforcement. Police in Britain launched investigations into multiple incidents in which national exam papers for school-leavers were stolen by hackers and subsequently sold online to students seeking an unfair advantage on their high-stakes tests.
The method of intrusion for the incidents affecting OCR and Pearson Edexcel differed from the AQA case. It was suspected that a hacker was able to gain access to a school's internal email system. From this compromised position, the threat actor then used the school's email infrastructure to request exam papers directly from the exam boards. This approach leveraged the trusted communication channel between schools and examination bodies to fraudulently obtain genuine papers. The specifics of the breach affecting AQA were not detailed in the same manner, with authorities only confirming an investigation into fraud and computer misuse related to a data breach.
The primary impact of these incidents was the theft of genuine examination papers. These stolen materials were then offered for sale online to students preparing to take their exams. While the exam season in England and Wales typically sees a seasonal surge in attempts to sell counterfeit exam papers, these incidents were notable because they involved actual, legitimate data breaches impacting the exam boards themselves, making genuine papers available for purchase. The main examinations affected were the GCSEs, typically taken by 16-year-olds at the end of compulsory education, and A-Levels, which are a key component of university entry requirements.
The law enforcement response was coordinated across multiple agencies. Cambridgeshire Constabulary confirmed they were investigating a data breach where two examination boards, OCR and Pearson Edexcel, had exam papers extracted from their systems and sold online. They stated their investigation was still in its early stages and that the force was collaborating with the UK government and the National Crime Agency’s cybercrime unit. Surrey Police separately took on the investigation into the breach at AQA. As of the reports, no arrests had been made in connection with any of the incidents.
The affected exam boards did not provide individual public comments on the breaches. Instead, they responded collectively through their representative body, the Joint Council for Qualifications (JCQ). The JCQ issued a statement confirming that "Exam boards have reported a small number of contained incidents of alleged fraud to the police." The JCQ spokesperson emphasized that because the police were actively investigating, it would not be appropriate to provide further information. This collective and limited response indicated a coordinated effort to manage the situation without compromising the ongoing criminal investigations.
The potential consequences for students involved in the malpractice were severe. Students who were found to have purchased the stolen exams faced the prospect of having their results disqualified and being banned from re-sitting the exams for a set period. This disciplinary action carried significant long-term implications, as it could directly cause students to miss out on their university placements, altering their educational and professional trajectories. The JCQ spokesperson reinforced this, stating that as in any year, those found to have been involved in malpractice would face severe consequences, aligning with standard examination security protocols.
These incidents occurred in a broader international context of cyber threats targeting educational assessment systems. In late May of the same year, a separate cyberattack had disrupted national end-of-year high school exams in Greece, demonstrating that education systems were becoming a target for malicious actors seeking to undermine the integrity of critical testing processes. The breaches at the British exam boards highlighted a specific threat to the integrity of the national examination system, raising fears of widespread cheating and undermining the fairness and value of the qualifications. The primary concern was that the availability of stolen papers could compromise the entire examination process for those subjects and papers that were affected, casting doubt on the results and the integrity of the students who achieved them. The investigations by multiple police forces and the National Crime Agency underscored the seriousness with which the incidents were treated at a national level.