Cambridgeshire police are investigating a cyber attack where it is thought a hacker posed as a school to obtain exam papers before selling them online. They said they were in the early stages of investigating a data breach involving exam boards Pearson and OCR. The incident is thought to related to a school's email system being hacked and then used to request papers from the exam boards - before the exam was taken. It is currently not known which exam this relates to. Full article: Police investigate stolen exam papers after cyber attack.
Centres usually receive exam papers weeks in advance. However, there is also a process to request emergency papers sent electronically if there is not enough time to post the papers.
The BBC recently reported that social media scammers are charging pupils hundreds of pounds for what they claim are leaked GCSE and A-level exam papers, but are likely fakes. At that time, the exam boards said that it is extremely rare for genuine papers to be leaked: Instagram seller quoted me £500 for a GCSE paper.
Given that both incidents are reportedly from school email accounts being hacked we would recommend that schools review the use of multi-factor authentication for email accounts: Contracts Register. Perhaps the exam boards need to add to their procedures of how to identify if the email request comes from a genuine source? All processes and procedures in an organisation should have a cyber security element to them. We provide best practice guidance around Information and Cyber Security in our best practice area: Information and Cyber Security Best Practice Area and our Information/Cyber Security Checklist.
What to do in an attack:
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.
Little Guide to ACTION FRAUD
Remember – ‘Hackers don’t break in they login’!