Are small independent schools really targeted by ransomware groups?

Yes. Waverley Christian College in Victoria has around 2,270 students and was listed as a Fog ransomware victim in December 2024. The school confirmed the incident. Ransomware groups are not selecting targets based on prestige or size. They are selecting based on the data held and the likelihood of payment. A school holding sensitive records for families and children holds data worth stealing. Schools are also seen as organisations that will pay to make the situation go away. Size does not change that calculation.

What personal information triggers the Privacy Act's serious harm test?

Health information, financial details, information about racial or ethnic origin, criminal records and information that could be used to facilitate identity theft are all categories where serious harm is readily established. For an independent school, a breach involving student medical records, welfare disclosures, family financial assistance records or parent identity documents will almost always meet the threshold. Once it does, notification to the OAIC and to affected individuals is mandatory, not optional.

How do we assess which third-party vendors are a risk?

Start by mapping which vendors have access to student personal information and under what terms. That list is usually longer than school leaders expect. For each vendor, the questions are: what personal information do they hold or process, what security controls do they maintain, what happens to the data if the relationship ends, and what do they do in the event of a breach affecting our data. We can help structure that assessment and review vendor agreements for gaps.

What should we do in the first 24 hours of a suspected breach?

Isolate affected systems to prevent further spread. That usually means taking devices offline or disconnecting from the network rather than shutting down, since powering off can destroy forensic evidence. Contact your cyber insurer. Document what you know and when you found out, because the timeline matters for OAIC notifications. Contact a specialist incident response team as early as possible. Do not pay a ransom without taking legal and specialist advice first. The obligation to notify the OAIC arises without unreasonable delay once you are aware of an eligible breach, so the notification question needs to be on the table from the start.

Industries · Education · Independent Schools

Cyber security for Australian independent schools.

Independent schools hold data that most organisations never deal with: welfare disclosures, counselling records, medical information for minors, parental separation documents and family financial details. A breach involving that kind of data rarely stays a technical problem.

Waverley Christian College in Victoria was listed by the Fog ransomware group in December 2024. The school confirmed the incident and notified the ACSC and the OAIC. It is the most recent example of a private Australian school becoming an active ransomware target.

Book a cyber security review→Speak with an expert

Threat context

Why independent schools are targeted.

Independent schools are subject to the federal Privacy Act because they are non-government organisations rather than state and territory authorities. That makes the data they hold a regulatory liability, not just an ethical one. Student welfare records, medical details, family court orders, counselling notes and parent income information are all personal information under the Act. A breach involving that data almost always meets the serious harm threshold that triggers mandatory notification to the OAIC and the affected individuals.

Ransomware groups have noticed. The Fog ransomware attack on Waverley Christian College in December 2024 is the most documented recent example. The group claimed around 5 gigabytes of data including financial records, insurance documents and internal correspondence. The college confirmed the incident and notified both the ACSC and the OAIC. Schools with 500 students or 2,500 students face the same entry points.

Independent schools typically operate with small IT teams managing a mix of administrative systems, learning platforms and parent communication tools. Basic security controls — MFA enforcement, privileged account management, vendor assessments — often have not been implemented because no one has made the time. A larger commercial organisation would apply these as a matter of course. That does not change the school's Privacy Act obligations or its attractiveness as a target.

Common risks

What we find when we assess independent schools.

Student welfare data with open access

Welfare files, counselling notes, medical records and family documents sit in shared drives accessible to most administrative staff. In some schools these are stored in the same location as routine correspondence and school newsletters. When a staff account is compromised, an attacker has immediate access to the most sensitive records the school holds.

No MFA on email and administrative systems

Email accounts without multi-factor authentication are the single most common finding in small to medium institutions. Phishing remains the most common initial entry point in Australian cyber incidents. A single successful phish on a business manager's or principal's account opens access to parent financial records, payroll data and administrative systems.

Third-party learning and communication platforms

Independent schools use a range of third-party tools: learning management systems, parent communication apps, school management platforms, wellbeing apps and assessment tools. Each is an additional point of exposure. Most schools have no documented process for assessing the security of vendors before connecting them to the school's systems or sharing student data with them.

Inadequate data handling for sensitive records

Family court orders, child protection notifications and sensitive welfare disclosures often reach schools via email and are stored inconsistently. Some end up in shared inboxes with broad access. Some are forwarded to personal accounts for convenience. The Privacy Act requires active management of how sensitive personal information is stored, accessed and disposed of.

No tested incident response plan

A written policy that has never been tested is not a plan, it is a document. When ransomware hits or a breach is discovered, the practical questions — who makes the call, which systems get isolated, when does the OAIC notification clock start, how do you communicate with parents — need answers that do not depend on finding the right page under pressure.

Compliance

Privacy Act obligations for independent schools.

Non-government schools are directly subject to the federal Privacy Act 1988. That applies regardless of size.

Privacy Act

Australian Privacy Principles

Independent schools are organisations for Privacy Act purposes and must comply with the thirteen Australian Privacy Principles. APP 11 requires that entities holding personal information take active steps to protect it from misuse, interference, loss and unauthorised access. The standard expected is not perfection — it is active, documented security management proportionate to the sensitivity of the data held. A school holding welfare records for minors is expected to apply controls that reflect what that data is.

NDB scheme

Notifiable data breach obligations

The NDB scheme requires notification to the OAIC and to affected individuals when there has been an eligible data breach: unauthorised access, disclosure or loss of personal information that is likely to result in serious harm. For a school holding medical records, financial assistance data and welfare information, the serious harm threshold is met in most significant incidents. The Privacy and Other Legislation Amendment Act 2024 increased civil penalties available to the OAIC and strengthened the regulator's enforcement powers.

Student data

Sensitive information under the Act

Health information, information about a person's racial or ethnic origin, and information about religious beliefs are all classified as sensitive information under the Privacy Act, which carries higher privacy protections than standard personal information. Independent schools regularly hold all three categories for students and staff. Criminal records and sexual orientation information, which some welfare disclosures may touch, are also sensitive information. The controls expected for sensitive information are proportionately higher.

How we help

Services for independent schools.

We work with independent schools that want to understand their actual privacy and security exposure and take practical steps to address it.

Audit and assurance

An gives you a clear picture of where you stand and a prioritised list of what to fix first. We map findings against Privacy Act obligations so the school's leadership understands the connection between a technical gap and a regulatory exposure.

Microsoft 365 security

policies, enforcement, DMARC, DKIM and SPF, and for classifying student welfare and medical records. Most independent schools run on . We harden those environments against the attack paths that show up most often in education breaches.

Fortify — managed security

Around-the-clock monitoring across endpoints, email and cloud environments. Rapid containment when something goes wrong. For schools without a dedicated security person, Fortify provides the coverage that a part-time or shared IT arrangement cannot.

Incident response

Available 24 hours a day. containment, breach investigation and notification support. Both the QUT and Waverley incidents required notifications. Knowing when that obligation arises and how to meet it is not something to work out in the middle of an incident.

Common questions

Asked by independent school leaders.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

Are small independent schools really targeted by ransomware groups?
Yes. Waverley Christian College in Victoria has around 2,270 students and was listed as a Fog ransomware victim in December 2024. The school confirmed the incident. Ransomware groups are not selecting targets based on prestige or size. They are selecting based on the data held and the likelihood of payment. A school holding sensitive records for families and children holds data worth stealing. Schools are also seen as organisations that will pay to make the situation go away. Size does not change that calculation.
What personal information triggers the Privacy Act's serious harm test?
Health information, financial details, information about racial or ethnic origin, criminal records and information that could be used to facilitate identity theft are all categories where serious harm is readily established. For an independent school, a breach involving student medical records, welfare disclosures, family financial assistance records or parent identity documents will almost always meet the threshold. Once it does, notification to the OAIC and to affected individuals is mandatory, not optional.
How do we assess which third-party vendors are a risk?
Start by mapping which vendors have access to student personal information and under what terms. That list is usually longer than school leaders expect. For each vendor, the questions are: what personal information do they hold or process, what security controls do they maintain, what happens to the data if the relationship ends, and what do they do in the event of a breach affecting our data. We can help structure that assessment and review vendor agreements for gaps.
What should we do in the first 24 hours of a suspected breach?
Isolate affected systems to prevent further spread. That usually means taking devices offline or disconnecting from the network rather than shutting down, since powering off can destroy forensic evidence. Contact your cyber insurer. Document what you know and when you found out, because the timeline matters for OAIC notifications. Contact a specialist incident response team as early as possible. Do not pay a ransom without taking legal and specialist advice first. The obligation to notify the OAIC arises without unreasonable delay once you are aware of an eligible breach, so the notification question needs to be on the table from the start.

Also in education

IronSights works across the Australian education sector.

Universities →Espionage threats, ransomware, and Privacy Act obligations for higher education.K-12 Schools →Ransomware targeting, VPDSS compliance in Victoria, and LMS security for government schools.TAFE and VET Providers →Student record protection, NDB obligations for private RTOs, and platform security.

Start here

A security review tells you exactly what your school holds and what it would take to protect it.

We assess your environment, how student and staff data is stored and accessed, your third-party vendor relationships, and whether your incident response plan would hold up under real conditions.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766