INTO, the Irish National Teachers Organisation, has reported that it was the target of a cyber attack in recent days, notifying up to 30,000 teachers and retired staff who may have had their personal data compromised. The organisation has stated that any user who has completed online courses on their website (intolearning.ie) may be affected, which includes not only current teaching staff but also past staff who had booked retirement planning courses.
INTO, the Irish National Teachers’ Organisation, does not believe any financial data was accessed during the attack
The breach occurred last week, and is believed to have been orchestrated by cyber criminals overseas. The primary target of the breach was not actually data, but the organisation’s servers. These were then used to send out mass spam messages. However, the hackers would have had access to names, email address, physical addresses, genders and course information of the aforementioned 30,000 teachers and staff. The union has also stated that, in a limited number of cases, the hackers may have had access to mobile numbers, INTO membership numbers, schools roles and Teaching Council registration numbers.
INTO has assured all users that no financial data was obtained or accessed by the hackers, as all course payments were processed via a secure third-party app, Realex. Furthermore, all passwords were stored in an encrypted database, secured from unauthorised access. The official statement from INTO’s general secretary, Peter Mullan, read “While we have no evidence to suggest this data was in fact stolen, the data was potentially at risk and thus potentially accessible to the third party behind the breach”. He continued, “We have taken down the website as a precaution and are awaiting a full report on the attack from the company responsible for the management of the website. When the website is back up and running we advise that you change your password as a precautionary measure. We also suggest that you treat any unusual emails or requests for further information with caution”.
While the risk in this particular incident appears to be low, the Irish National Teachers Organisation says it is taking the incident very seriously. “We have informed the Office of the Data Protection Commissioner of the breach and are taking advice and direction from them. We have also notified the Gardaí”. Wisely, the company has also chose to commission a cyber security audit in the wake of this incident, to determine exactly how the breach occurred and how it could be prevented in the future.
We suspect that the upcoming GDPR is on the minds of INTO staff at the moment, as this breach, if it had occurred just 8 months later, could have resulted in a multi-million Euro fine. For any company who wishes to stay out of the headlines, we advise auditing your cyber defences before a cyber attack or breach such as this occurs. Unfortunately, with the stark rise of cybercrime-as-a-service and ransomware, suffering a cyber attack has become a matter of when, not if.