What is VPDSS and does it apply to our school?

The Victorian Protective Data Security Standards are a set of information security requirements published by OVIC that apply to Victorian government entities, including government schools. Victorian government schools must formally assess and document their information security risks, including the effectiveness of existing controls, at least once per school term using the department's pre-populated risk register. Schools that have not been doing this quarterly assessment are out of compliance with a documented departmental requirement. Independent and Catholic schools in Victoria are not subject to VPDSS, but are subject to the federal Privacy Act.

Why would a ransomware group target a school?

Two reasons. Schools hold personal data that has value: student welfare records, medical information, family financial details, family court orders and contact information for children. That data is worth stealing and publishing as leverage. Schools also typically lack the security resources to detect intrusions quickly or respond effectively once they occur. Australia's National Cyber Security Coordinator named that resource gap explicitly in a 2023 warning about schools becoming ransomware targets. The Fog ransomware group's attack on Waverley Christian College in December 2024 confirmed the pattern is active.

Does a government school need to notify anyone after a data breach?

Government schools in Victoria comply with state privacy legislation and relevant departmental incident reporting requirements rather than the federal NDB scheme. The applicable obligations and notification channels depend on the state. Victorian government schools should report incidents through the Department of Education's incident reporting process. For any breach that may involve sensitive student or family data, the department's privacy and data protection team should be involved early. Independent schools are subject to the federal NDB scheme and must notify the OAIC and affected individuals when the serious harm threshold is met.

We have a small IT budget. Where do we start?

MFA on Microsoft 365 accounts is the single highest-return control most schools can implement, and it is not expensive. If staff accounts are not behind MFA, fixing that one thing reduces exposure more than most other measures combined. After that: DMARC configuration to reduce email spoofing, a clear offboarding process to revoke access when staff leave, and a tested understanding of what you would do in the first few hours of an incident. A security review helps you understand which gaps matter most for your specific environment so you are not spending limited budget on things that do not move the needle.

Industries · Education · K-12 Schools

Cyber security for Australian schools.

Australia's National Cyber Security Coordinator warned in October 2023 that schools are becoming ransomware targets. The reason given was direct: schools are small enough that they cannot maintain full-time security teams or fund 24/7 threat response. Attackers know that, and it shows in the incident data.

IronSights helps K-12 schools manage cyber risk with the resources they actually have. Victorian government schools also face documented quarterly compliance obligations under the Victorian Protective Data Security Standards.

Book a cyber security review→Speak with an expert

Threat context

Why schools are being targeted.

Education ranked fourth for notifiable data breach notifications in Australia in the first half of 2024, with 44 notifications accounting for 8 per cent of the national total, according to the OAIC. The sector has appeared consistently in the top five. Schools hold student enrolment records, attendance data, welfare and counselling information, family contact details and in some cases medical records and family court orders. That data has value.

Waverley Christian College in Victoria was listed by the Fog ransomware group in December 2024. The school, with around 2,270 students, confirmed the incident and notified both the ACSC and the OAIC. The group claimed around 5 gigabytes of data including financial and insurance records. It is the most recent documented K-12 private school ransomware incident in Australia, and it will not be the last.

The National Cyber Security Coordinator's October 2023 warning was notable for being explicit about the cause. Schools are targets because they hold sensitive data and they generally do not have the security resources to protect it effectively. That is not a criticism, it is an accurate description of the resourcing reality most schools operate in. Schools do not need to become security experts. They need the right support in place.

Common risks

What we find when we assess K-12 schools.

No MFA on staff accounts

The most common finding across school IT environments is staff email and system access without multi-factor authentication enforced. Phishing is the most frequent initial access vector. A single successful phish on a teacher's or administrator's account is often enough to reach student records, payroll data and administrative systems. Enforcing MFA on Microsoft 365 accounts is the highest-return security control most schools can implement.

Sensitive student data in open shared folders

Welfare disclosures, counselling records, medical information and family court orders often sit in shared folders accessible to most of the administrative team. The distinction between routine documents and highly sensitive records rarely maps onto the folder structure. When an account is compromised, everything in those shared drives is reachable.

End-of-life systems and delayed patching

Schools often run older operating systems and hardware well past vendor support dates. Budget cycles, limited IT staffing and the operational disruption of patching during term time all contribute. Ransomware groups actively scan for unpatched vulnerabilities in internet-facing systems. The QUT attack in December 2022 exploited infrastructure vulnerabilities that had not been addressed.

Learning management systems and student portals

LMS platforms, parent communication apps and student portals extend the school's attack surface well beyond its own network. Credentials for these systems are often managed inconsistently, shared amongst staff or never changed after staff departures. A compromised LMS account can expose student data and communications without touching the school's internal network at all.

Incident response not tested

Most schools have policies. Few have tested what actually happens when a ransomware attack or breach occurs outside business hours during term. Who isolates the affected systems, who contacts the insurer, when does a government school need to notify the department, how does a private school assess whether the NDB threshold has been met. A tabletop exercise identifies the gaps before an incident does.

Compliance

Regulatory obligations for schools.

The compliance picture differs between government schools and independent schools. Getting this right matters.

VPDSS

Victorian government schools — quarterly obligations

Victorian government schools must align information security practices with the Victorian Protective Data Security Standards published by OVIC. The Department of Education's policy also requires schools to assess and document information security risks, including the effectiveness of current controls, at least once per school term, four times per year. The department provides a pre-populated risk register. Schools that complete the register without conducting a genuine assessment are out of compliance with a documented state-level requirement, not just a recommended practice.

Privacy Act

Independent and non-government schools

Non-government schools, including independent, Catholic and other private schools, are subject to the federal Privacy Act 1988 as organisations rather than government bodies. The Australian Privacy Principles apply. The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals when a breach is likely to cause serious harm. For schools holding student welfare records, medical information and family financial data, most significant incidents will meet that threshold.

State law

Government school privacy obligations

Government schools in NSW, Victoria, Queensland and other states are part of state and territory government departments and comply with state and territory privacy legislation rather than the federal Privacy Act. The applicable legislation varies by state. Victorian government schools, for instance, are subject to the Privacy and Data Protection Act 2014 (Vic) and VPDSS. NSW government schools comply with the Privacy and Personal Information Protection Act 1998 (NSW). Each framework imposes its own requirements for handling and protecting student and staff data.

How we help

Services for K-12 schools.

Security reviews

Most schools start here. We identify the highest-priority gaps, give you a clear picture of your actual exposure, and recommend next steps matched to your budget and IT resources. For Victorian government schools, we map findings against VPDSS requirements.

Microsoft 365 security

, enforcement, DMARC, DKIM and SPF, and for classifying sensitive student records. Most Australian schools run on . We harden those environments against the attack paths that appear most often in education incidents.

Fortify — managed security

Around-the-clock monitoring for schools that cannot maintain full-time security coverage internally. Fast containment when something goes wrong. Monthly reporting your principal and board can read. For schools where the IT arrangement is a part-time role or a shared-services provider, Fortify fills the 24/7 gap.

Incident response

Available 24 hours a day. containment, breach investigation and notification support. For private schools, that includes support. For government schools, we work within the relevant departmental incident reporting framework.

Common questions

Asked by school leaders.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

What is VPDSS and does it apply to our school?
The Victorian Protective Data Security Standards are a set of information security requirements published by OVIC that apply to Victorian government entities, including government schools. Victorian government schools must formally assess and document their information security risks, including the effectiveness of existing controls, at least once per school term using the department's pre-populated risk register. Schools that have not been doing this quarterly assessment are out of compliance with a documented departmental requirement. Independent and Catholic schools in Victoria are not subject to VPDSS, but are subject to the federal Privacy Act.
Why would a ransomware group target a school?
Two reasons. Schools hold personal data that has value: student welfare records, medical information, family financial details, family court orders and contact information for children. That data is worth stealing and publishing as leverage. Schools also typically lack the security resources to detect intrusions quickly or respond effectively once they occur. Australia's National Cyber Security Coordinator named that resource gap explicitly in a 2023 warning about schools becoming ransomware targets. The Fog ransomware group's attack on Waverley Christian College in December 2024 confirmed the pattern is active.
Does a government school need to notify anyone after a data breach?
Government schools in Victoria comply with state privacy legislation and relevant departmental incident reporting requirements rather than the federal NDB scheme. The applicable obligations and notification channels depend on the state. Victorian government schools should report incidents through the Department of Education's incident reporting process. For any breach that may involve sensitive student or family data, the department's privacy and data protection team should be involved early. Independent schools are subject to the federal NDB scheme and must notify the OAIC and affected individuals when the serious harm threshold is met.
We have a small IT budget. Where do we start?
MFA on Microsoft 365 accounts is the single highest-return control most schools can implement, and it is not expensive. If staff accounts are not behind MFA, fixing that one thing reduces exposure more than most other measures combined. After that: DMARC configuration to reduce email spoofing, a clear offboarding process to revoke access when staff leave, and a tested understanding of what you would do in the first few hours of an incident. A security review helps you understand which gaps matter most for your specific environment so you are not spending limited budget on things that do not move the needle.

Also in education

IronSights works across the Australian education sector.

Independent Schools →Privacy Act obligations, student welfare data, duty-of-care security for private schools.Universities →Espionage threats, ransomware, and Privacy Act obligations for higher education.TAFE and VET Providers →Student record protection, NDB obligations for private RTOs, and platform security.

Start here

Find out what your school's actual exposure is and what to fix first.

We assess your environment, how student data is managed, your current controls, and whether your incident response process would hold up. The output is a practical list of what matters most.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766