Cyber Attack: Exam Boards
Surrey Police are investigating a fraud and computer misuse allegation at AQA, England's largest exam board which follows the recent data breach reported by Cambridgeshire Policy into a data breach with the exam boards at OCR and Pearson. Full article: AQA also hit by exam paper cyber attack.
Cambridgeshire police are investigating a cyber attack where it is thought a hacker posed as a school to obtain exam papers before selling them online. They said they were in the early stages of investigating a data breach involving exam boards Pearson and OCR. The incident is thought to related to a school's email system being hacked and then used to request papers from the exam boards - before the exam was taken. It is currently not known which exam this relates to. Full article: Police investigate stolen exam papers after cyber attack.
Centres usually receive exam papers weeks in advance. However, there is also a process to request emergency papers sent electronically if there is not enough time to post the papers.
The BBC recently reported that social media scammers are charging pupils hundreds of pounds for what they claim are leaked GCSE and A-level exam papers, but are likely fakes. At that time, the exam boards said that it is extremely rare for genuine papers to be leaked: Instagram seller quoted me £500 for a GCSE paper.
Given that both incidents are reportedly from school email accounts being hacked we would recommend that schools review the use of multi-factor authentication for email accounts: {article title="A guide to multi-factor authentication"}[link][title][/link]{/article}. Perhaps the exam boards need to add to their procedures of how to identify if the email request comes from a genuine source? All processes and procedures in an organisation should have a cyber security element to them. We provide best practice guidance around Information and Cyber Security in our best practice area: Information and Cyber Security Best Practice Area and our Information/Cyber Security Checklist.
What to do in the event of a Cyber Attack
Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body.
The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to:
- Action Fraud on 0300 123 2040, or the Action Fraud website
- the DfE sector cyber team at
This email address is being protected from spambots. You need JavaScript enabled to view it.
You may also need to report to:
- the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage
- the ICO website within 72 hours, where a high risk data breach has or may have occurred
- your cyber insurance provider (if you have one), such as risk protection arrangement (RPA)
- Jisc, if you are a part of a further education institution
You must act in accordance with:
- Action Fraud guidance for reporting fraud and cyber crime
- Academy Trust Handbook Part 6, if you are part of an academy trust
- ICO requirements for reporting personal data breaches
Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.
Preserving evidence is as important as recovering from the crime.
Forward suspicious emails to