Surrey Police are investigating a fraud and computer misuse allegation at AQA, England's largest exam board which follows the recent data breach reported by Cambridgeshire Policy into a data breach with the exam boards at OCR and Pearson. Full article: AQA also hit by exam paper cyber attack.
Cambridgeshire police are investigating a cyber attack where it is thought a hacker posed as a school to obtain exam papers before selling them online.  They said they were in the early stages of investigating a data breach involving exam boards Pearson and OCR.  The incident is thought to related to a school's email system being hacked and then used to request papers from the exam boards - before the exam was taken.  It is currently not known which exam this relates to.  Full article: Police investigate stolen exam papers after cyber attack.

Centres usually receive exam papers weeks in advance.  However, there is also a process to request emergency papers sent electronically if there is not enough time to post the papers.

The BBC recently reported that social media scammers are charging pupils hundreds of pounds for what they claim are leaked GCSE and A-level exam papers, but are likely fakes.  At that time, the exam boards said that it is extremely rare for genuine papers to be leaked: Instagram seller quoted me £500 for a GCSE paper.

Given that both incidents are reportedly from school email accounts being hacked we would recommend that schools review the use of multi-factor authentication for email accounts: Introduction to the Knowledge Bank.  Perhaps the exam boards need to add to their procedures of how to identify if the email request comes from a genuine source?  All processes and procedures in an organisation should have a cyber security element to them.  We provide best practice guidance around Information and Cyber Security in our best practice area: Information and Cyber Security Best Practice Area and our Information/Cyber Security Checklist.

What to do in an attack:

Tell someone!  Report to IT. Report to SLT. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Little Guide to ACTION FRAUD

Remember – ‘Hackers don’t break in they login’!