Frances King School of English

Frances King School of English, also known simply as Frances King, is a United Kingdom-based educational institution specializing in English language instruction. The school provides courses primarily for international students seeking to improve their proficiency in English for academic, professional, or personal development purposes. Its operations involve the enrolment, teaching, and pastoral care of students from various countries, which necessitates the collection and processing of significant personal and sensitive documentation. This includes handling passport scans for visa applications, records detailing special educational needs (SEN) for appropriate support, and standard administrative data such as staff contracts and payroll details. The school's core market is therefore the global community of learners requiring English language education within a UK setting, positioning it within the competitive international education sector. Its activities place it under data protection regulations due to the nature of the personal information it manages.

In September 2021, Frances King School of English was specifically targeted and compromised by the Vice Society hacking group, a known cybercriminal organization. This incident resulted in the exfiltration and subsequent public leakage on the dark web of highly sensitive data, including children's special educational needs records, passport copies, staff employment contracts, and payroll information. The attackers employed a ransomware tactic, demanding a ransom before publishing the stolen documents. The breach caused direct operational disruption, including IT system outages that forced the school to temporarily adopt alternative communication methods to continue its functions. Following the attack, the school engaged external cybersecurity specialists and law enforcement agencies to conduct a forensic investigation, work towards system restoration, and comprehensively assess the scope of data exposure. As part of its response, the institution undertook notifications to affected individuals and relevant regulatory authorities regarding the security incident and the potential compromise of their personal data.