Industries · Education
Cyber security for Australian education.
Education is the fourth-most-breached sector in Australia. Behind health, government and finance — and ahead of retail. Schools and universities hold student records, staff payroll data, research files and in some cases welfare disclosures for children. Attackers know what that data is worth.
IronSights works with independent schools, universities and TAFE providers across Australia. ISO 27001 certified, Microsoft certified, Sydney-based.
Threat landscape
Why education is targeted.
Education logged 44 notifiable data breach notifications in the first half of 2024, 8 per cent of the national total, according to the Office of the Australian Information Commissioner. The sector has ranked in the top five consistently across multiple reporting periods.
QUT suffered a Royal ransomware attack in December 2022. The group took down the university's Blackboard learning management system, Cisco AnyConnect remote access network and network storage. When the breach count was finalised, 11,405 individuals had been affected — 2,492 current staff, 8,846 former staff, and a smaller number of students. The university notified the OAIC.
In December 2024, the Fog ransomware group listed Waverley Christian College in Victoria as a victim. The school, which has around 2,270 students, confirmed the incident and notified both the ACSC and the OAIC. The group claimed around 5 gigabytes of data including financial records and internal correspondence.
Australia's National Cyber Security Coordinator warned in October 2023 that schools are becoming increasingly attractive ransomware targets, citing their inability to maintain full-time security teams or fund 24/7 threat response coverage. The gap between the data schools hold and the resources they can apply to protecting it is not closing.
How we help
How IronSights supports Australian education providers.
The schools and universities we work with want to know what their actual risk is, what has to change, and what they can show their board, their insurer or their regulator. We start with a structured review and work from there.
Fortify — managed security
Around-the-clock monitoring across endpoints, identities, email and cloud. Fast containment when something goes wrong. Monthly uplift and a posture report your board can read. For schools and universities without a dedicated security function, Fortify provides the ongoing coverage that stretched IT teams rarely sustain on their own.
Microsoft 365 security
Most Australian education providers run on . We harden those environments: , enforcement, Defender for Business, DMARC, DKIM and SPF, and for classifying student welfare records and research data. A compromised staff account with broad access reaches years of student records without triggering a single alert.
Penetration testing
External network, internal network and web application tests across student portals, LMS platforms, enrolment systems and administrative environments. Each engagement produces a risk-rated report your IT team can act on and your board can read. Free retest included within thirty days.
Audit and assurance
, baseline, and . A board-ready report with a prioritised remediation roadmap. For Victorian government schools, we map findings against VPDSS requirements. For private schools and universities, we map against Privacy Act obligations.
Incident response
Available 24 hours a day. containment, investigation, notification support and insurance documentation. The QUT and Waverley attacks both triggered reporting obligations. Knowing exactly when that clock starts and what information you need to provide is not something to work out under pressure.
Security reviews
Most clients start here. We identify your highest-priority gaps, give you a clear picture of your exposure, and recommend the right next steps without selling you more than you need.
Compliance
Regulatory obligations for Australian education.
Privacy Act coverage depends on who you are and how you are structured. This gets confused regularly.
Independent schools and private providers
Independent schools, private universities, private TAFE providers and other non-government education organisations are subject to the federal Privacy Act 1988 and the Australian Privacy Principles. The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals when a breach is likely to cause serious harm. For a school holding student welfare records, medical information and parent financial data, most significant breaches will meet that threshold. The Privacy and Other Legislation Amendment Act 2024 increased penalties available to the OAIC for serious or repeated privacy interferences.
Government schools and public universities
Most Australian public universities are state and territory authorities under section 6C of the Privacy Act, which excludes them from the federal regime. They comply instead with state and territory privacy legislation. State education departments, including government schools within them, are also governed by state frameworks rather than federal APPs. Private universities and the Australian National University are exceptions and are directly subject to the federal Privacy Act.
Victorian government schools
Victorian government schools must align information security practices with the Victorian Protective Data Security Standards published by OVIC, and must formally assess and document information security risks at least once per school term, four times per year. The department provides a pre-populated risk register. Schools that have not completed those quarterly assessments are out of compliance with a documented state-level obligation, not just a recommended practice.
Notifiable data breaches in education
Education logged 44 NDB notifications in the first half of 2024, 8 per cent of the national total, making it the fourth-most-reported sector. Both the QUT ransomware attack (December 2022) and the Waverley Christian College incident (December 2024) triggered OAIC notifications. The notification requirement applies when there has been unauthorised access to or disclosure of personal information and there is a real risk of serious harm to the affected individuals.
Common risks
What we find when we work with education providers.
Legacy infrastructure
Schools and universities run older systems far longer than most organisations. End-of-life operating systems, unpatched applications and unsupported network hardware are common. The QUT attack specifically targeted a vulnerability in legacy infrastructure. Attackers scan for these systematically and know that education environments patch slowly.
Shared and reused credentials
Staff accounts with shared passwords, default credentials on network equipment and student accounts with weak or recycled passwords all show up regularly. A single phished account with access to student information systems or shared drives can expose records at scale.
Third-party EdTech risk
Schools and universities connect dozens of third-party platforms: learning management systems, student information systems, enrolment portals, wellbeing apps and communication tools. Each is a potential entry point. Most institutions have no complete picture of which vendors hold their data or what security standards those vendors meet.
Student and staff data without classification
Student welfare records, medical information, financial assistance data and disciplinary files sit in shared folders alongside routine administrative documents. When an account is compromised, an attacker can reach the most sensitive records without any additional effort. Data classification changes that equation.
No tested incident response plan
Most institutions have a written policy. Few have tested it under conditions that resemble a real incident. When ransomware hits a school at 11pm during term, the practical questions need answers that do not require locating the right document under pressure. A tabletop exercise once a year usually finds the gaps before an attack does.
Inadequate backup configuration
Backups that are connected to the main network are encrypted alongside production data in a ransomware attack. Offline or immutable backups stored separately are the difference between a recovery that takes days and one that takes weeks. Many education institutions have not verified that their backups are recoverable until they need to.
Who we work with
Education providers we work with.
Independent schools
Private and independent schools are subject to the federal Privacy Act. Student welfare data, counselling records and parent financial information are all covered. The Waverley Christian College incident in December 2024 confirms that K-12 private schools are active targets, not hypothetical ones.
Universities
QUT's December 2022 ransomware attack shut down Blackboard, Cisco AnyConnect and network storage, affecting 11,405 individuals. CyberCX ranked cyber-enabled espionage and foreign interference as the top two threats facing Australian higher education as of April 2025. Private universities face direct federal Privacy Act obligations. Public universities fall under state frameworks.
K-12 schools
Government schools run stretched IT teams across multiple campuses, often with minimal security tooling. Australia's National Cyber Security Coordinator warned in October 2023 that schools are becoming ransomware targets specifically because they lack the resources for 24/7 threat response. Victorian government schools have a documented quarterly compliance obligation under the VPDSS.
TAFE and VET providers
Private RTOs and TAFEs hold student enrolment records, AVETMISS data, qualification records and financial information. Private providers are subject to the federal Privacy Act. Public TAFE networks fall under state frameworks. Third-party student management systems and learning platforms extend the attack surface beyond the organisation's own infrastructure.
Common questions
Asked by education providers.
Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.
Does the federal Privacy Act apply to our school?
It depends on how the school is structured. Independent, Catholic and other non-government schools are subject to the federal Privacy Act 1988 and the Australian Privacy Principles. Government schools, as part of state and territory government departments, generally fall under state and territory privacy legislation rather than the federal framework. If you are unsure which regime applies to your institution, that is worth confirming with your legal team before a breach makes the question urgent.
What does a notifiable data breach mean for a school?
A notifiable data breach occurs when personal information is accessed or disclosed without authorisation and there is a real risk of serious harm to the affected individuals. For a school holding welfare records, medical information, counselling notes and family financial data, that threshold is met in most significant incidents. Notification must go to the OAIC and to the affected individuals. There is no fixed time limit in the federal Act, but the obligation arises without unreasonable delay once the school is aware or ought reasonably to be aware of the breach.
Victorian government schools must do a quarterly information security risk assessment. What does that actually involve?
The Victorian Department of Education policy requires schools to assess and document information security risks, including the effectiveness of current controls, at least once per school term. The department provides a pre-populated risk register to work from. In practice, many schools complete the register without a genuine assessment behind it. We can help you run a real assessment that satisfies the requirement and actually tells you something useful about your exposure.
What is the biggest cyber risk for universities right now?
CyberCX's April 2025 higher education security review ranked cyber-enabled espionage and foreign interference as the top two threats to Australian universities, ahead of ransomware and cyber extortion. For universities involved in defence-adjacent research, technology transfer or anything touching critical infrastructure sectors, that threat profile is different from what a commercial organisation faces. Ransomware is still a real and active risk — QUT's 2022 attack illustrates that clearly — but treating universities as though espionage is a distant concern gets the threat model wrong.
How does IronSights work with education clients?
We start with a security review: a structured assessment of your environment, identity controls, how student and staff data is stored and handled, and whether your incident response process would hold up under real conditions. From there, we recommend the steps matched to your size and risk profile. Some institutions want ongoing managed security through Fortify. Others need specific gaps addressed. We work across both.
Start with a review
Understand your actual exposure before an incident makes it clear.
We look at your environment, identity controls, how student and staff data is handled, and whether your incident response plan would function under real conditions. The output is a practical roadmap.
ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.