In the wake of the disturbing data breach at UK-based nursery Kido, Infosecurity spoke with a CISO in the education technology sector to unpack the broader implications for cybersecurity in schools and early learning organizations.
The data breach affecting Kido shocked many and has been cited as a new low for cybercriminals.
The incident, which began in September, saw threat actors steal children’s personal data, including images, and begin to publish the data in increments online, threatening to continue to do so if they were not paid. In some cases, it is understood that parents of children affected in the data breach received threatening phone calls from the hackers.
It has been reported that the breach occurred after hackers accessed data hosted on a third-party software service.
Following the backlash against the hack, not just in public but also on underground criminal forums, the latest reporting suggests the hackers, operating under the name Radiant, have removed the images of children from the data leak site.
While the story continues to unfold, Infosecurity spoke to CISO in the education technology sector about the fallout from the incident and wider issues of cybersecurity in schools and nurseries.
Elliott Lewis is the CISO for ParentPay Group, as well as the MD of GDPRiS, ParentPay’s specialized data protection and security subsidiary. ParentPay is a UK-based company that provides a secure online payment platform for schools (including primary, secondary and independent schools) and families.
Lewis has over 20 years of experience in cybersecurity and set up ParentPay’s own cybersecurity function a decade ago. During the conversation, Lewis shared his views on the recent Kido breach and why budget and skills remain a core challenge for the sector’s cybersecurity posture.
Infosecurity Magazine: Regarding the breach involving Kido, what is your reaction to the incident, and is there anything that strikes you as unique?
Elliot Lewis: There is a precedent for people to be contacted directly and extorted and threatened. It is unusual, but it has happened before. But there was always an unwritten rule that these sorts of hackers were following that this would not happen.
What is unprecedented, to my knowledge, is the targeting of children of such a young age and publishing their information.
Focusing on that so prominently and targeting parents with that information, I haven’t seen that before. That is undoubtedly what has caused the uproar.
IM: Based on what we know about the incident, do you think the hackers specifically targeted Kido and the information it held about children for its extortion campaign?
EL: It is an evolving situation, but the nature of the data breached and past experience tells us that in all likelihood the threat actors have got their hands on breached credentials. More likely than not this has come from somebody's personal device where they have used their corporate credentials which have been stolen by malware and sold on the dark web.
These threat actors have simply found that one password, seen where it's usable and logged in and immediately come across this wealth of data.
I doubt they had a strategic objective of finding that, rather they’ve sort of stumbled across it and ran with it. And [because of the backlash] it sounds like they deeply regret it.
IM: Should sensitive data and images relating to children have additional protection to prevent hackers accessing it?
EL: There's a risk-based approach to personal information. The more sensitive it is, the more protective technical and organizational measures that need to be applied. In this case, again drawing conclusions and purely speculation, it looks likely it was a username and password that's been compromised and more should have been done to prevent that.
Multi-factor authentication (MFA) would have been a viable option. Maybe it was there. Beyond that, the data could have been encrypted and then it would only be accessible to those with a certificate on their machine.
There are various layers of protection and defense and depth which would apply. Certainly, the more sensitive information is, the more layers and protection should be applied.
IM: What are the challenges educational establishments face in incorporating sufficient cybersecurity into their systems?
EL: Budget is certainly going to be a challenge for all, but more so for state-funded schools and organizations. We do see that as being a challenge everywhere, they have limited resources. The overwhelming feedback is that they just don't have any money to spend, and it's perceived that, therefore, that they can't deploy the security controls that they need.
That's a big thing, but I think an even bigger issue is the lack of expertise and time. On lots of occasions you’ll discover institutions where there just aren’t experts on the ground that can manage these cybersecurity risks. They often lean on IT service providers and assume that they’re doing something about cybersecurity, whereas that is not necessarily the case.
Budget, expertise and time are big constraints, and I think those issues are causing so many schools to be vulnerable.
IM: What can organizations in the education sector do to overcome these issues?
EL: It is overwhelming to be constantly inundated with news about breaches and what these organizations should and shouldn’t be doing. Yet, they know they haven’t got the money or skills and don’t necessarily know where to start.
My suggestion would be to focus on one area at a time and to keep it simple. Don’t be concerned with trying to fix everything, you’ve got to tackle the high value, low-cost issues first.
There are plenty of things that can be done with little or no cost. Reviewing all the users, identifying who’s got access and making sure MFA is turned on doesn't carry a significant cost beyond somebody taking the time to do it. That’s going to have a material impact on their posture.
Most schools will have an awareness training program, but it's probably a tick box exercise where somebody has to do the course when they join and that’s it.
Assigning one person to really own and champion that program could make a material difference to peoples’ awareness.
No doubt they've almost all got an antivirus solution but assigning somebody to properly own and manage that solution will make a difference. Often it's just left and likely forgotten, with the assumption it will still protect them. It needs somebody watching that tool and it doesn't have to be an expert.
As long as they've got a route to escalate when they see something suspicious, assigning an owner for awareness programs and tools, even if its a junior person, will be a gamechanger for schools..
IM: What roles do governments and local authorities have in supporting the education sector with cybersecurity?
EL: The UK National Cyber Security Centre (NCSC) and Department of Education (DoE) have cybersecurity guidance, but it’s just guidance. I do think that schools should be mandated to have a level of cyber posture, but they should only reasonably expect that to happen if it’s funded.
It is not for me to say how and if that is possible. But I certainly think schools should have their hand forced into making sure they've got these things in place.