Post-breach insights: lessons in ransomware response


Ransomware attacks have been sweeping the globe, and our crisis and data breach response team at Experian has been on the frontline helping organisations to manage the aftermath of data breaches. In this post, I reflect on our experience of managing post-breach situations in the education and charity sectors.

Skip to section...

Schools and charities at risk

In recent months, we have seen a large number of schools, colleges, educational establishments and universities, as well as charitable organisations, impacted by devastating ransomware attacks. Education providers and charities often fall victim to ransomware attacks because their cybersecurity budgets and resources are smaller than those of larger corporations – making them more vulnerable to mass ransomware campaigns. This is borne out by our own research, which found that 89% of education sector respondents had experienced a cyber-attack and 85% had experienced a ransomware attack.

Ransomware attacks are indiscriminate

The first misconception is that ransomware attacks are targeted at specific organisations. In fact, they are usually indiscriminate. Ransomware firms seek to exploit vulnerabilities in the software and systems used by thousands of organisations. Once they gain access to these systems, they can exfiltrate or copy data from all of the organisations using that software.

The huge MOVEit attack is a prime example. By exploiting a vulnerability in the widely used MOVEit file transfer program, a ransomware firm attacked more than 1,000 organisations worldwide and accessed the data of around 60 million people[1]. None of the organisations impacted were specifically targeted – they were simply users of the software.

If data matters to you, it’s valuable to criminals

The second misconception is that cybercriminals are looking to steal personal data that they can sell on to fraudsters. In reality, it is far more lucrative for them to steal any data for which they can demand a ransom – rather than trying to sell individual personal details on the dark web. To demand a ransom, they only need data that is emotionally, financially or reputationally valuable to the individuals and organisations it is stolen from.

The data held by education and charitable organisations on their students, staff, alumni, donors and other groups is extremely valuable to those individuals. Think about the amount of personal data schools hold about their pupils. If this data fell into the wrong hands, parents would be extremely worried – meaning ransomware firms are in a strong position to demand a ransom for its safe reinstatement.

Managing a response

If you are a school, college, university or charity, how do you respond to a data breach? Who do you need to inform, and how quickly? How will you manage communications? Now that insurance companies are introducing more exclusions and limits to their cyber insurance policies, how do you minimise costs, protect your reputation and best deploy resources to manage your response?

At Experian, we’ve seen many breaches in the education and charity sector, so we understand the specific challenges they face, and how best to manage the post-breach recovery. It’s important to look at the situation from the point of view of the people impacted. These could be current and former students, parents, current and former staff, governors, suppliers, donors, beneficiaries and many others.

Contacting multiple cohort groups

The huge range of cohort groups is one of the biggest challenges for education providers and charities in responding to a breach. All of these groups must be contacted, so the first step is to identify the contact details you have and determine the best way to inform people. Where large numbers are involved, letters or emails are likely to be the most effective and efficient means of communication. But you might not have up-to-date contact details for everyone, particularly former and overseas students who have gone back home or moved away.

You then need to consider how to respond to queries and concerns. Can you put call centre resources in place, or outsource call centre agents from a specialist provider? What number do they call and is this freephone, local rate or international? Answering queries by email is often simpler and more manageable, but may not be acceptable to everyone. Everything you do must be focused on the needs of the individuals concerned.

You also need to understand the legal implications. What lengths should you go to in contacting people, and when can you cease your efforts after multiple failed attempts? We have the expertise at Experian to advise on all of these matters. We can help to formulate messages and advise on the best mechanisms for responding to queries, and help to minimise financial and reputational damage.

Preparation is key

Making all of these decisions and managing your response in the heat of a post-breach environment is especially challenging – when speed is vital and the ransom deadline is looming. To make everything more manageable and less stressful, it is far better to plan your crisis-response strategy in advance. That way, you can have plans in place and resources on standby, ready to swing into action if the worst happens. I will be offering advice on crisis-response planning and preparation in a forthcoming series of blogs – so watch this space!

How can we help?

If you are a school, college, educational establishment, university or charity and want to learn more about preparing for and responding to ransomware attacks, please visit our website or contact the Experian Crisis & Data Breach Response team on 0844 4815 888 or via email.

Get in touch

Get in touch with our Experian Crisis & Data Breach Response team

Get in touch
Copy Link Copied to clipboard