Cyber Incident Victim: Kilvington Grammar School
Date:
Oct 2022
Location:
Australia
Summary
A ransomware attack by the Lockbit 3.0 group compromised sensitive data from Kilvington Grammar School, exposing personal details of over 1,000 current and former students. The breach included confidential documents such as parent bank account numbers, legal disputes, academic records, medical information, and privileged legal advice concerning a student's death investigation and an alleged teacher assault. While the institution notified affected families of limited data exposure, the published information was far more extensive than initially disclosed. The school acknowledged shortcomings in its communication process, expressing distress over the incident's impact on its community. This attack reflects broader trends of cybercriminals targeting educational institutions to exploit highly personal data for financial gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2022, Kilvington Grammar School, an independent school in Melbourne, experienced a significant cybersecurity incident involving the ransomware gang Lockbit 3.0. The attackers exfiltrated and subsequently published sensitive data belonging to over 1,000 current and former students. The school initially notified parents via email on November 2, characterizing the leak as a “limited amount of data” taken from their systems. This notification described compromised information as parent contact details, Medicare numbers, health information including allergies, and partial credit card data. However, ABC Investigations later determined the published cache was far more extensive than disclosed, containing bank account numbers of parents, legal disputes between families and the school, academic records such as report cards and test results, and privileged documents related to a teacher accused of assaulting a student. Most notably, the leak included confidential legal advice and investigative materials concerning the 2019 death of 16-year-old student Lachlan Cook during a school trip to Vietnam, which was the subject of an ongoing coronial inquest. The Cook family was not informed these specific documents had been compromised.
The breach’s aftermath revealed significant gaps in victim notification and transparency. Multiple parents expressed frustration that the school downplayed the severity of the breach, with one parent describing the published data as “absolutely more sensitive” than initially communicated. Kilvington Grammar’s marketing director acknowledged shortcomings in their notification process, calling it an “imperfect” effort to list compromised data “to the best of our abilities.” The school stated it had adopted a “conservative approach” by contacting all potentially affected families and suggested protective measures, but did not confirm whether a ransom was demanded or paid. Lockbit 3.0, identified as a prolific ransomware group, also targeted other Australian organizations during this period, including a law firm and a hospitality company. The incident exemplified broader trends highlighted by Australian Federal Police, who noted a 13% annual increase in cybercrime reports and emphasized cybercriminals’ growing exploitation of personal data for financial gain. Under Australia’s Privacy Act, entities must notify individuals of breaches likely to cause “serious harm,” but Kilvington’s failure to fully disclose the breach’s scope mirrored systemic issues observed in contemporaneous breaches like the CTARS NDIS data theft.