Cyber Incident Victim: Assessment and Qualifications Alliance

On March 21, 2017, the Assessment and Qualifications Alliance (AQA) detected unauthorized access to some of its online systems and immediately took the affected systems offline to address security vulnerabilities. Initial assessments suggested no data had been exfiltrated during the breach. However, a subsequent forensic investigation concluded on April 6—over two weeks after the initial detection—revealed that attackers had successfully accessed and stolen personal information belonging to 64,000 current and former examiners. The compromised data included names, addresses, personal phone numbers, security question answers, and passwords used for AQA’s examiner systems. AQA confirmed the breached systems did not contain bank details, student or school records, or examination materials, limiting the scope to examiner credentials and contact information.

AQA initiated a response by resetting all affected examiner account passwords and directly notifying individuals whose data was stolen. The organization reported the incident to the Information Commissioner’s Office (ICO) and Ofqual, the qualifications regulator. The ICO launched an investigation to determine whether AQA had complied with Data Protection Act obligations, with potential outcomes ranging from warnings to fines. AQA’s chief information officer publicly apologized, emphasizing that existing security measures had mitigated the attack’s severity but failed to prevent it entirely. As a precaution, AQA temporarily disabled its e-AQA platform for schools and colleges, though it confirmed this system was not compromised. The breach exclusively impacted examiner data, with AQA reiterating that summer exams would proceed unaffected. The incident marked another cybersecurity event in the education sector following earlier warnings about ransomware threats targeting schools in January 2017.