No data, including information on pupils, was understood to be accessed or copied.
But the school immediately reported itself to the Office of the Data Protection Authority for a data breach immediately, cooperated with its investigation and has been ordered to update systems to improve its security, which it has completed.
The authority found that the college had failed to secure remote access to its computers, and had used a weak password – without activating multi-factor authentication – for an administrator account, and was vulnerable to a ‘brute force attack’.
And, while it had systems in place that detected suspicious activity, it had no way of being notified of such detections.
The ODPA found no evidence of information being exfiltrated from the college’s systems.
The Ladies’ College said it took data security very seriously.
‘We are committed to protecting the personal information of our students, parents and staff, and are grateful for the support of the ODPA throughout this process.’
The incident took place on 24 June 2024 when the college discovered that it was unable to access several of its on-premises servers.
It quickly identified that unauthorised access had been made to some of its systems, which had then been encrypted with ransomware.
Most information affected did not relate to individuals but some limited examples of personal data were impacted.
The ODPA’s investigation also found that the college had failed to appropriately secure remote access to computers within its network, leaving them directly exposed to be accessed using compromised credentials.
‘Effective processes to monitor and warn against security breaches are a key element of any security safeguard system, regardless of the sensitivity of the information held,’ said Data Protection commissioner Brent Homan.
‘We are pleased that the Ladies’ College acted swiftly to notify our office of the breach, cooperated with the investigation and implemented remedial measures without delay.’
He said that it was important there were processes to ensure that security monitoring software alerts were identified in a timely manner.
You need to be logged in to comment. If you had an account on our previous site, you can migrate your old account and comment profile to this site by visiting this page and entering the email address for your old account. We'll then send you an email with a link to follow to complete the process.