The Breach Ledger is a Coastal Cyber research series examining cyber incident trends across Australian industries. Each edition draws on three primary sources: the Webber Insurance named breach register [1] (678 Australian incidents, 2018–2026), OAIC Notifiable Data Breach reports published since the scheme commenced in February 2018 [2], and threat intelligence from the ASD Annual Cyber Threat Report [3]. Together, they map what is happening in a given sector, what the consequences look like in practice, and what organisations are risking by treating security as next year’s budget problem.
This is the Education Edition.
The Interlock ransomware group published 591 gigabytes of data stolen from Loyola College, a Catholic secondary school in Victoria. The data included passports. Family financial records. Staff files. The kind of personal information that families hand over at enrolment, trusting that the school will protect it. Loyola declined to pay the ransom. The attackers published it anyway.
Every affected family now has their identity documents and financial details permanently on the dark web. The college reset every password across the institution — every staff member, every student, every parent — after the data was already gone.
This is not a hypothetical. It is documented. And Loyola is not alone.
- Schools are in the breach record, and the frequency is rising. Seven named K-12 incidents from 2019 to June 2026 — four of them in the last eighteen months. The OAIC recorded 38 Education sector breach notifications in the first half of 2025 alone.
- Faith-based independent schools are a defined target. The incidents below are not random. They reflect a sector with sensitive data, under-resourced IT, and a community that cannot afford to lose trust.
- The biggest risk is not ransomware. It is human error. OAIC data shows 74% of Education sector NDB notifications in the first half of 2025 were caused by staff mistakes — not external attack.
- The cost of doing nothing is documented, not theoretical. Passports on the dark web. Mandatory OAIC notifications. Community-wide credential resets. These outcomes have names and dates attached to them.
Seven named K-12 incidents in the Australian breach record since 2019. Four occurred in the eighteen months to June 2026.
| Year | School | State | What happened |
|---|---|---|---|
| 2019 | Nagle Catholic College [5] | WA | Parent banking details targeted in a cyber attack on the school’s payment systems |
| 2023 | Mount Lilydale Mercy College [6] | VIC | Parent credit card data stolen; hundreds of families affected via a supply chain compromise |
| 2024 | Mt Hira College [7] | VIC | ~750 student records including names, email addresses and passwords published online |
| 2024 | Waverley Christian College [8] | VIC | Fog ransomware; 5GB stolen including financial and insurance documents |
| 2025 | Belmont Christian College [9] | NSW | Qilin ransomware; student and staff data including immunisation records and payment histories |
| 2025 | Scotch College [10] | VIC | Breach via alumni database; family and graduate contact data exposed |
| 2025 | Loyola College [4] | VIC | Interlock ransomware; 591GB published including passports, financial records and staff files |
Three separate ransomware groups. Three different attack vectors. One consistent target profile: faith-based and independent K-12 schools with community databases, payment records, and sensitive student data on file.
Education sector NDB notifications in the first half of 2025 — placing Education fourth among all sectors, behind Health, Finance, and Australian Government. In a sector that, by popular perception, does not consider itself a target.
The Webber Insurance breach register captures 678 named Australian cyber incidents from 2018 to June 2026. Thirteen involve K-12 schools or school-adjacent platforms. That count understates the real picture — it reflects only publicly reported events, not the full volume of unreported incidents or supply chain compromises that swept up schools without naming them directly.
The trajectory on named school incidents is unambiguous: one in 2019, one in 2023, two in 2024, three in the first half of 2025, two more in early 2026. That acceleration reflects a market reality: ransomware toolkits are cheap, school IT environments are often under-resourced, and the data schools hold is among the most sensitive in the country.
Independent schools — particularly faith-based schools — hold a data inventory that most organisations would find difficult to match for sensitivity:
- Student enrolment records: dates of birth, home addresses, family structure
- Family financial records: fee histories, scholarship assessments, hardship applications
- Student health and welfare notes: medical conditions, learning needs, counselling records
- Staff employment files: payroll, tax file numbers, superannuation, background check results
- Identity documents: passports and birth certificates provided at enrolment
- Alumni records, in some cases going back decades
What is less visible — but equally real — is the physical record. Most schools hold years of enrolment paperwork, HR files, and identity documents in filing cabinets, with no documented retention schedule and no destruction policy. The question of when that 2009 enrolment packet gets shredded is rarely asked until it needs to be. The Privacy Act applies to physical records the same as digital ones, and a school that has no process for reviewing or destroying physical personal information carries a liability that no IT investment resolves.
When a ransomware group targets a school, they are targeting the data room. That data room is usually larger than the IT team realises.
Of Education sector NDB notifications in the first half of 2025 were caused by human error — not ransomware, not credential theft. Emails sent to the wrong recipient. Unauthorised disclosures. Data accessible where it should not have been. Only six of those 38 notifications resulted from a malicious or criminal attack.
This matters because it shapes the investment argument correctly — but it does not simplify it. Training staff and improving data handling processes will reduce the frequency of human error events. It will not eliminate them. The technical controls in any serious security programme serve a different purpose: they limit what happens when prevention fails. Verified backups mean a ransomware event does not become unrecoverable. Least-privilege access means a compromised account does not hand an attacker the keys to every system in the school. An incident response plan means the difference between a contained, notified breach and one discovered six months later during an insurance claim.
The 74% figure tells you where to start — with people and process — not where to stop.
For a faith-based independent school, the starting point is not a penetration test or an ISO 27001 programme. It is these six things:
-
1Verify your backups workRun a restore test on your most critical system — your email platform or student management system — and document the result. A backup that has never been tested is not a backup; it is a liability with a dashboard showing green.
-
2Implement MFA on everything externalStudent management system, email, school management platform, social media accounts. Credential theft is the initial access method in the majority of Australian school incidents. MFA removes the easiest path.
-
3Build a one-page incident response planWho calls whom. Who talks to parents. Who contacts the insurer. Who notifies the OAIC if required under the NDB scheme. The plan does not need to be long. It needs to exist before the incident, not during it.
-
4Audit who has access to whatShared admin accounts, service accounts with elevated permissions, access held by staff who left twelve months ago. These are present in every school environment this practice has assessed. They cost nothing to remove.
-
5Train staff on the scenarios that have happenedInvoice fraud. Phishing emails impersonating the principal or a supplier. Requests to redirect payment to a new account. Three incidents matching these patterns occurred at Australian schools in the past eighteen months. Recognition is a more effective control than most software products.
-
6Commission a professional cyber health assessmentAn independent assessment gives leadership a clear, evidenced picture of what is working, what is not, and what carries the most risk — before an incident forces the conversation. Coastal Cyber’s Cyber Health Check is designed specifically for schools and resource-constrained organisations.
None of these require significant capital investment. Together, they represent the difference between a recoverable incident and one that ends on the OAIC’s public notification register — or on the dark web.
The OAIC publishes the list of organisations that have notified a data breach. It is searchable. Parents search it.
The question is not whether your school holds sensitive data — it does. The question is whether, if something went wrong this term, the school could demonstrate it had taken reasonable steps. Reasonable steps are documented. They are evidenced. They do not exist only in the IT manager’s memory.
The cost of reasonable steps is a rounding error against the cost of the alternative.
That is because it is. Managing data risk in a school is not one job — it is several, distributed across IT, leadership, governance, and legal, in an organisation that runs on trust. Doing it without a trusted partner is where most schools stall.
If you are wondering which thread to pull first, that is exactly the conversation worth having with a GRC professional before you spend a term going in circles. A few hours of advice early saves weeks of internal debate and considerable heartache later.
Book a 20-minute conversation
If your school’s cyber and privacy posture needs a clear-eyed assessment, start here. No sales process. No commitment. Just clarity on which thread to pull first.
