College calls in the police after principal targeted by ‘ethical hacker’

Police have been called in after a college’s principal was targeted in a malicious hack in which fraudsters allegedly doctored internal emails to include a racist word and then sent the emails to the media, staff and a local councillor.

FE Week was one recipient from someone who called themselves an “ethical hacker” and had broken into South Staffordshire College’s IT system this morning in order to send them from a senior employees email account.

“About time. All that paki kept banging on about was more ALS,” one alleged message from the principal, dated 23 July 2019, said concerning a departing employee.

“The chair of the board has been informed and this has now become a police matter”

The email chain, which the college insists was fabricated, even had a response from the college’s interim deputy for finance and resources, who minutes later responded to ask: “Can we discuss this offline please and not have comments in writing.”

South Staffordshire College told this newspaper that the emails had been forged and they have now referred the matter to the police.

“You may have recently, this morning, received an email that entered the college system through means of hacking and claims to be an ethical hack,” a statement from principal Claire Boliver said.

“We are taking this email very seriously, the chair of the board has been informed and this has now become a police matter.

“We have taken measures to strengthen our security systems further.”

She continued: “The contents of the email with an alleged racist remark is fabricated.  There is clear evidence that proves the email has been edited.”

Staffordshire police later released this statement to FE Week: “Police received a report at around 10.50am on 5 September of malicious emails being sent from an account at an educational establishment in South Staffordshire.

“Anyone with any information is asked to ring 101 quoting incident 175 of 5 September.

“Alternatively, for guaranteed anonymity, please call Crimestoppers on 0800 555 111.”

South Staffordshire is the latest college to be targeted by a cyber-attack in recent months.

Claire Boliver

Education providers were first warned about hacking and phishing scandals in an ESFA update in June, which said some had suffered “financial losses” after falling for this type of scheme.

FE Week later revealed that Lakes College in Cumbria was one provider targeted. Fraudsters, perpetrating a phishing scam, hacked into the email account of principal Chris Nattress and sent a link to his contacts to “review and sign”.

When Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was.

They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way.

The college’s digital team identified the issue before staff received any reports of a problem.

Further cyber-crime advice was put out by the ESFA last month following the hacks.