The education team in the Bath office of law firm Stone King is warning head teachers in the city to be on their guard against online fraudsters who demand thousands of pounds in so-called ransomware attacks.
It says schools are being targeted by cyber criminals who first encrypt school data then seek money to unlock it.
In some cases the scammers first phone the school to get the head teacher’s email address. An email then arrives with an attachment or link that, if opened or clicked on, will trigger a ransomware script and encrypt the school’s files, including potentially back-up files.
The fraudsters are then demanding up to £8,000 to unlock the data – but the financial cost to schools can be much higher, Stone King is warning.
The firm’s head of privacy & information law, Brian Miller, pictured, said: “Schools which fall foul of the scammers also face potential fines of up to £500,000 for serious breaches of the Data Protection Act if it can be shown they are in some way responsible for the breach.
“From May 2018, organisations face fines of up to €10m (£8.6m) or 2% of turnover, whichever is higher, for lesser breaches of the new General Data Protection Regulation. This penalty doubles for serious breaches.
“In addition, a serious data protection breach by a school leading to safeguarding failures may have a negative impact on its reputation. As well as the disruption caused by a loss of data, this could also lead to a reduction in the pupil roll and affect a school’s Ofsted rating.”
Mr Miller added that if cyber criminals access sensitive information about pupils, a serious safeguarding breach would be committed.
“For academy schools, the ultimate sanction could involve the Secretary of State for Education serving a termination warning notice, which has the effect of closing down the school, unless certain conditions are met,” he said.
Stone King said schools should ensure that their antivirus software is as effective as possible against ransomware and should back up their data regularly. Staff should also be trained to spot suspicious emails containing ransomware, as well as the school ensuring that its policy documents are up to date to flag these issues up.