John Kyrle Security Breach and Data Loss in January 2020

The JKHS Parent Network is in no way officially affiliated with or run by JKHS.
It is and always will be completely independent

Mental Health JKHS Parent Network

JKHS Pupils began saying they were aware of the data loss of all their coursework as well as staff losing all their work and resources, on Monday 13th January 2020

LATEST RELATED NEWS:

*** 24th February 2020 - parents report there was again no access to the school's computer systems, which affected lessons and their children's work for another two full school weeks. This comes at a very crucial time for those about to take GCSEs. You can read about this second large-scale disruption here ****

It is now concluded, as of 12th Feb 2020 that John Kyrle High School lost a total 15Tb of Data going back 16 Years. This is what David Boyd 'Operational Headteacher' told the West Mercia Police Cybercrime Unit.

It now appears true that the in addition to questionable security, the school did NOT have a suitable backup process in place and the backups were deleted by the same ransomware that infected the system.

As a result Pupils have lost all their coursework and Teachers have lost years and years worth of teaching resources.

John Kyrle have been asked for their Data Protection Policy, which they have NOT provided and they have NOT supplied the details for their 'independent' Data Protection Officer when asked.

The following information has been updated on 27th January following a second letter to current parents only from the school and clarification from the West Mercia Police Cybercrime Unit

Parents say pupils were made aware on Monday 13th January, and talk was the school system was completely inaccessible and all saved work held on John Kyrle's computer systems has been lost.

With parents in communication with each other and over social media it seems the accounts people were giving were consistent, although often the language used is vague and often offers no technical insight and a degree of speculation. The effects of the event are not really in question though across all the experiences being recounted.

The Headteacher, Mr Nigel Griffiths, wrote to all current parents in a letter on Wednesday 15th January about the security breach. That letter can be viewed here as a PDF.

In the Headteacher's letter it states that the data concerned relates to staff and pupils, without mentioning 'past' people. It does however go on to describe the 'wide ranging' data concerned saying it may include SEN (Special Education Needs) Data, Safeguarding Data, Pupil Records and Examination Data. The first three of those are likely to include personally identifiable data on Parents and other individuals, and potentially it means it could contain sensitive data which by nature could be used in a discriminatory fashion. This data may contain information which directly relates to mental health issues. Because of this, the ICO (Information Commissioners Office) who uphold Data Protection Law and GDPR outline the seriousness of any breach and there are clear guidelines of how the school should communicate with all people who could be affected.

It has been pointed out to the school on Thursday 17th January that they have neither a Data Protection Policy or a Privacy Statement available on their website as required. Two weeks on we are still trying to get a copy of the school's Data Protection Policy but they have not provided one despite being clearly asked to provide it.

Whilst parents and pupils report a complete data loss of all work and a loss of all backups at the school, more light can be shed by the headteacher saying in his letter "encryption has been applied which is currently preventing us from being able to access the server" note the singular use of the word server as a side-point, although the Headteacher is likely not to be I.T. fluent.

After speaking with as many people as possible including some with decades of experience in I.T. it has been strongly speculated that because of the admittance of the phrase "encryption has been applied" that this could mean ransomware has found its way onto the server. Ransomware encrypts the contents of hard drives and presents a ransom note asking for payment.

The police have confirmed that the encryption applied looks like the action of a piece of ransomware. They confirmed that David Boyd, the "Operational Headteacher" has said that 15Tb of Data has been lost which goes back 16 years.

The police also confirmed that the backup has been deleted. They say ransomware will often look for backups too in order to attack them as well. Typically some backups are encrypted, and because ransomware can't encrypt and already encypted file, it will delete it instead.


We await further details on this.

What is also clear as of time of writing is neither the school or pupils or parents have reported the system is back and everything is returned to normal. Along with claims all the backups are also affected, it would seem serious questions might need to be asked over how the school's systems have been implemented. A backup should be securely held.

Many have said that the backup strategy at JKHS must be flawed. Businesses and organisations usually secure against data loss by using multiple simply backup methods. One of those is an 'off the network' disconnected backup, which is usually kept off-site, this provides the additional protection against theft from the main premises, and fire or water damage.

Unfortunately it does look very clear that the data loss could have been avoided by a simple and effective backup strategy.

We are yet to find out whether JKHS has kept a simple off-site backup, if they have, there should be very little data loss and everything should be back up and running. However, this is written two weeks to the day that JKHS were aware of the data loss and the school has not made a statement that the data has been simply recovered.

On January 21st, current parents report that a second letter has been sent to them (which is the only other communication from the school on the matter). You can read this second letter from the Headteacher here.

Headteacher, Nigel Griffiths states that there is 'no evidence of any information being taken from our system' although that does not state that information has not been gone through or read by someone who had breached security.

He also states it is not a an act of "holding us to ransom", although this still leaves what has happened unclear. It is not a statement that ransomware was not responsible for the effects on the data and systems. He also has claimed the attack was aimed at his school with the intention to upset staff and pupils. It is completely unclear if this was a directed attack at this point, but Nigel Griffiths is claiming so.

Nigel Griffiths mentions in self-congratulatory fashion that "Our independent Data Protection Officer has been in contact daily" (with him we presume, as the contact details for the Data Protection Officer for others to contact him were not and still haven't been published in either letter). Then he goes on to say "In a recent email he said, 'notifications are entirely appropriate'. This means we have done everything we need to do, including communication with all necessary parties". Nigel in his first letter has inferred a risk to personally identifiable data of not just current pupils, his direct worded inference that pupil records, SEN records and Safeguarding records could be among the data compromised means a huge of people have not been contacted about the risk to records regarding them. Clarification has been sought from Nigel Griffiths on who the risk applies to, as he seems to potentially contradict himself through his own words.

It is however obvious to any reader that at least 50% of Nigel's second letter is entirely irrelevant to the issues at hand and this additional content is him using the opportunity to release thoroughly unrelated PR.

Nigel also claims that "School life has continued as normal". He wrote that one week on. However, this is completely at odds with what multiple parents have reported. The talk of massive lesson disruption is in line with reports that teachers' lesson resources have been lost or are unavailable. As such, parents have been reporting an effect on the education of their children. Speaking with multiple parents has varied between reports of some disruption of lessons all the way to a major negative affect on all lessons all week.

Two Parents' Evenings, for years 7 & 8 have been postponed, with teachers saying this is because they have been asked to use the time to try to construct new lesson resources. So again, disruption affecting parents, pupils and staff.

It has also been reported that teachers have been told they are being given a £100 'sweetener' in their pay packets because of the data loss. If true, this could be up to the region of a £10,000 spend.

A final announcement letter to current parents was written by Nigel Griffiths on 12th February 2020. You can read this letter here.

In his letter Nigel Griffths, Headteacher, says the ICO are closing their investigation. He then self-congratulates who the school has handled the situation.

Although he says "Although some personal information held electronically has been destroyed, we have been able to recover this information from other sources, such as data held in hard copy". Using the word "some" seems to be an understatement.

Please note, with the vast amount of information that was lost according to David Boyd, it is highly unlikely that hard copies have made any real dent in the retrieval of 15Tb of lost data. This seems confirmed to be the case. Nigel states "one of the issues we are dealing with is the loss of some student and staff work", which again, using the word "some" seems to be an understatement.

This final letter from Nigel Griffiths seems in large part to attempt to downplay the sheer scale and extent of the lost data.

Nigel does however outline how they are trying to address the systems that were compromised, including the backups. The backups were deleted. Nigel says "we will address all issues of backup, including on-site and off-site storage" which seems to be a clear admittance that the backup procedures were lacking.

As this website is dedicated to mental health at the school and holding the school to account for issues relating to this, many parents and teachers have been in touch commenting on the huge distress caused through losing coursework, work, and years and years of teachers' teaching resources.

Nigel Griffiths only real acknowledgement of the huge pain and distress caused is one line in his long letter which reads "I want to apologise to all those affected" but the letter precedes that at length by seemingly downplaying the scale of the disaster whilst striking a self-congratulatory tone.

It is now concluded, as of 12th Feb 2020 that John Kyrle High School lost a total 15Tb of Data going back 16 Years. This is what David Boyd 'Operational Headteacher' told the West Mercia Police Cybercrime Unit.

It now appears true that the in addition to questionable security, the school did NOT have a suitable backup process in place and the backups were deleted by the same ransomware that infected the system.

As a result Pupils have lost all their coursework and Teachers have lost years and years worth of teaching resources.

John Kyrle have been asked for their Data Protection Policy, which they have NOT provided and they have NOT supplied the details for their 'independent' Data Protection Officer when asked.