The DPC received a breach notification from a school in relation to a bad actor who accessed and infiltrated a school’s ICT systems, including the email system, for an unknown length of time. The bad actor gathered information before sending a phishing email and tricked the administrator for financial accounts into directing payments into a fraudulent account. 

The bad actor sent an email to the accounts administrator, pretending that it had come from the email of the school principal. This practise is referred to as spoofing and has the appearance of being from a trusted individual and being a valid request. This email contained fraudulent duplicates of invoices relating to legitimate work performed in the school. However the bank account details were manipulated by the bad actor to redirect the payment to an unknown recipient and the school, who were unaware of this, carried out the transaction. 

The breach was discovered when the legitimate supplier reported that they had not been paid. 

The DPC engaged with the school and recommended that the school take a number of actions to recover from the breach and mitigate against a recurrence including the implementation of Multifactor Authentication, ongoing monitoring and reminders on its email usage policy.