Portuguese School IT system hacked for ransom

The Internet-based school management system of the Macau Portuguese School (EPM) has been the target of a cyberattack by an undisclosed group attempting to extort money from the institution in exchange for regaining access to the system, the Times has learned from various sources. At stake is possibly the personal data of the students, parents and staff.
Hoje Macau first reported that, according to information provided by the school to parents in a meeting last month, the cyberattack occurred in April but a formal complaint was only filed with the Judiciary Police (PJ) last week.
To the Times, the PJ confirmed it had received the complaint from the school institution, advancing that the hijacking of the software system was intended to obtain an undisclosed amount of money as a ransom.
The PJ noted that, as the case is now under investigation, it is not able to reveal any more details that might jeopardize the investigation.
The Times also reached out to the president of the Association for Macanese Education (APIM), Miguel Senna Fernandes, for a comment on the case. Senna Fernandes said that APIM, one of the major shareholders of the Portuguese School Foundation, is not aware of the amount requested by the hackers.
“We know nothing about the amount [requested], because we have not been contacted for such a purpose,” Senna Fernandes said. “As far as I know, there was no [specific] amount [requested], for the time being.”
He stated that the case is in the hands of the PJ, which will investigate it and reach a conclusion.
When asked for a comment on a suggestion to the Times that the group had requested that the ransom be paid using cryptocurrency, Senna Fernandes said, “it would not be surprising, as we are talking about a purely digital context. But I’m not sure.”
According to the report of Hoje Macau, the parents were surprised to be informed so late in the process, almost three months after the hacking was known.
Commenting on the case, the president of the Parents Association of the Macau Portuguese School, Filipe Regêncio Figueiredo, hinted that the school board of directors has failed to take timely action on the case, adding that the information provided to the parents meeting held on July 16 was not accurate, as at the time the principal Manuel Machado, representing the board, informed that all stakeholders had been informed of the occurrence.
For Figueiredo, the institution failed in reporting the hacking of the system by only reporting it to the PJ and the School Foundation, saying that the school board should have taken further steps to protect the interests of the school community by extending the report of this case to the Education and Youth Affairs Bureau as well as to the Office for Personal Data Protection and the Cybersecurity Commission.
On the topic, Hoje Macau also cited Machado saying that in consequence of the attack no data from the system had been transferred or lost.
“There was no copy nor data detour. This is very important. The data is all in our possession, it just cannot be used [as it is encrypted],” Machado explained.
The school management system is netGIAE, an online platform that can be operated via Intranet or Internet by users of the system.
It is used by students, teaching staff, and non-teaching staff. Access to some parts of the system can also be granted to parents or guardians.
The system can be used for several purposes, including registration, information, and registration of students’ results, as well as attendance reports.
Among the data that the school board said had been encrypted are school reports as well as names, photos, and personal data of both the students and their parents or guardians.

Categories Headlines Macau