The Irish National Teachers’ Organization has suffered a breach affecting more than 30,000 teachers in that country.
The INTO has warned that hackers may have compromised its online learning portal, exfiltrating users’ personal data. That includes names, email addresses, city, country, gender and information related to courses—all perfect fodder for follow-on phishing attempts. In some cases, users’ mobile number, school roll number, role in school, INTO membership number and Teaching Council registration number may also have been laid open.
No financial information, credit-card data or passwords were accessed, it added.
The website, INTO Learning, offers a range of online training courses for teachers, along with retirement planning courses and principals seminars. The incident affects anyone who has booked one of these in the “last few years,” the union told RTE. Everyone impacted has been notified, and will be asked to reset their passwords.
Ireland’s Office of the Data Protection Commissioner and gardaí have been informed of the hack, and INTO said that preliminary investigations show that the hackers may have used the compromised server behind the breach as a platform for sending out spam messages as well.
Joe Fantuzzi, CEO of RiskVision, said via email that the incident underscores growing risk against the vulnerable and largely overlooked education sector.
“Without stringent security mandates or compliance regulations, the education sector often has security infrastructure gaps that create hidden—but significant—security vulnerabilities and threaten its risk posture,” he said. “Like many industries, education relies heavily on contractors, third parties and unsecure web sites, many of which are not regulated, which only further damages its risk environment. But also like many industries, there is no shortage of critical data and personally identifying information stored in its databases.”