Cyber Incident Victim: Holy Family Roman Catholic and Church of England College
Date:
Sep 2022
Location:
United Kingdom
Summary
A cyberattack by the Vice Society hacking group compromised Holy Family RC + CE College alongside multiple other UK schools, resulting in the theft and subsequent leak of highly sensitive data including children's SEN records, passport scans, staff contracts, and financial details. The attackers demanded ransom before publishing stolen documents on the dark web after non-payment. Operational disruptions occurred, with IT systems and communication channels disabled, forcing temporary reliance on alternative platforms. Forensic investigators were engaged to restore systems and assess the breach, while authorities including the ICO and police investigated. The incident highlighted systemic vulnerabilities in educational institutions' cybersecurity defenses against financially motivated threat actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2022, Holy Family RC + CE College in Heywood was among 14 UK schools compromised by the Vice Society hacking group, which exfiltrated and later leaked highly sensitive data. The attackers infiltrated school networks, stealing confidential documents including children's Special Educational Needs (SEN) information, child passport scans, staff pay scales, and employment contracts dating back to at least 2011. This breach formed part of Vice Society's broader campaign targeting educational institutions in the UK and US, including a high-profile attack on Los Angeles Unified School District involving 500GB of data. The group typically demanded ransom payments before publishing stolen data on dark web portals inaccessible through standard browsers. At Holy Family and other affected schools, operational disruptions occurred when attackers compromised IT systems—though specific technical details of the intrusion vector remain unspecified in public reports. The BBC verified leaked documents from multiple institutions on Vice Society's dark web site, including folders categorizing passports, contracts, and confidential administrative records. For Holy Family, the exact date of initial compromise was not disclosed, but Pates Grammar School's parallel attack on September 28 provides contextual timing, with system outages and forced transitions to temporary communication channels like Gmail occurring across affected institutions.
Authorities including the Information Commissioner's Office (ICO) and local police launched investigations into the breaches in late 2022. Holy Family and other schools engaged cybersecurity specialists to conduct forensic analyses, restore systems, and assess data exposure. While Holy Family's specific remediation steps weren't detailed, comparable institutions like Pates Grammar School reported partial system restoration and ongoing coordination with law enforcement. The School of Oriental and African Studies—another victim—confirmed a September 2022 breach involving 18,680 files, including staff contracts and budget documents, noting they had contained the incident to a "limited data breach." All affected schools initiated stakeholder notifications, with Holy Family's data appearing alongside institutions like Durham Johnston Comprehensive School and St Paul's Catholic College in the leaked troves. The FBI had previously issued alerts about Vice Society's extortion tactics, emphasizing education sectors' vulnerability due to resource constraints in IT security. No public confirmation emerged regarding whether Holy Family paid ransom demands, though the group published data from multiple non-paying victims. By January 2023, investigations remained active, with schools continuing to evaluate the full scope of compromised records including decades-old passport scans and sensitive student bursary information.