NSW Dept of Ed confirms PII stolen in cyber-attack

Department of Education NSW Cyber attack

Personally identifiable information (PII), including names and email addresses, was found to have been stolen in a cyber-attack targeting the NSW Department of Education (DoE) mid-last year, the agency has confirmed, though other sensitive data held by the DoE appears to have been spared from loss.

Announcing the conclusion of forensic post-mortem, DoE Secretary Georgina Harrisson confirmed that no passwords, banking records, credit or debit card numbers, financial records, government identifiers or health records were accessed during the attack, which occurred in July 2021.

“Based on this investigation, the data taken in the attack was limited to personal information such as names and email addresses,” Harrisson said.

The DoE said it has collaborated with the Australian Cyber Security Centre, the NSW Information and Privacy Commissioner, and the NSW Police in its investigations of the attack.

More than six months after the breach, the Department conceded the investigation process was “extremely complex and time-consuming”.

Harrisson, however, praised the “robust cyber security measures required of all NSW Government departments” in preventing any further loss of data.

She said the DoE’s tech and security teams were able to “spot the attack unfolding and take immediate steps to block it”.

This interception prevented any further transfer of sensitive data to the hackers.

The attack, which occurred just days before the resumption of school term three last year, forced the Department to deactivate a number of its internal systems for several days “as a precaution” to prevent further loss of data.

Systems were fully restored by 10 July, two days after the breach announcement on 8 July.

Online portals used by both staff and students were impacted by the attack, as well as the DoE’s email and the staff intranet.

The untimely breach occurred as students across the Greater Sydney region were preparing their return to school. It was also the same day the NSW Government announced students in lockdown areas would be required to remote learn due to the state’s growing Covid-19 outbreak.

The DoE has announced it has commenced a breach notification and support program to assist those whose personal information was stolen in the attack.

“We acknowledge the seriousness of this incident and apologise for the distress that the incident may have caused,” Harrisson said.

Only those whose personal details were found to have been stolen will be contacted by the Department.