Student data breaches expose cyber flaws in schools

Australian education authorities are facing renewed scrutiny of cyber security in schools after the Victorian Department of Education disclosed that hackers accessed information on current and former government school students, following a separate breach at the University of Sydney late last year.

The Victorian department this week told parents that threat actors had accessed a database containing student information, including names and email addresses, and confirmed that all passwords linked to the system had been reset. In December, the University of Sydney reported that more than 27,000 current and former staff and students were affected by a separate incident involving unauthorised access to data.

The two incidents highlight the risks across Australia's education sector, which manages large volumes of personal data on children, families and staff, often across legacy systems and complex digital platforms.

Long-term risks

Security experts warned that breaches affecting children can have implications that last for many years.

"When student data is exposed, the consequences extend well beyond the immediate incident. Information tied to children and former students often persists for decades, creating long-term risk for families and institutions alike, particularly as personal information can be reused, correlated or exploited years later - even when the initial dataset involved appears limited," said Takanori Nishiyama, SVP APAC & Japan Country Manager, Keeper Security.

Erich Kron, CISO Advisor at security awareness firm KnowBe4, said that the Victorian breach could expose young people to significant harm as the investigation progresses.

"This can end up being very ugly, especially if they find that sensitive information was taken as they investigate more. Bad actors get many benefits from the younger generations, especially if they have enough information to steal their identity. Some of the younger kids may end up having their identity used for a decade or more before they become adults and try to establish their own lines of credit, only to find that someone has already been using their identity all along," said Erich Kron, CISO Advisor, KnowBe4.

Access control

Cyber specialists pointed to identity and access management as a critical weakness across education and public sector systems in Asia Pacific.

"Education and public sector organisations face a difficult balance: large user populations, complex digital ecosystems and constrained resources. User turnover, third-party access and legacy systems further complicate that environment. However, these challenges make strong security fundamentals even more critical. Effective identity and access management, least-privilege enforcement and strict role-based access controls help ensure that access to sensitive systems and data is intentional, limited and continuously monitored. Without these controls, credential exposure or poorly governed access can allow a single compromised account to escalate quickly into a broader incident," said Nishiyama.

Nishiyama said that institutions need consistent review of who can access what data and systems.

"Best practice also requires regular auditing of access privileges, strong credential hygiene and a zero-trust mindset where no user or system is implicitly trusted. This is especially important in education environments, where access rights often accumulate over time and are not consistently reviewed. In practice, these controls determine whether an incident remains limited or becomes systemic," said Nishiyama.

Password exposure

The Victorian department stated that passwords in the affected system were encrypted, and that it had forced resets for all users. Security practitioners cautioned that this step may not remove the wider risks if users have duplicated passwords across services.

"The issues about passwords being stolen can be significant, even if the schools reset them all within their systems. As humans We often find ourselves reusing passwords across different web services, meaning if bad actors gain access to one password, there's a good chance that it will be useful in other accounts. In this case the passwords are said to have been encrypted, which is a good practice, however the ultimate security of these passwords will depend on the type of encryption used. Many older types of encryption are relatively easy to break with modern resources," said Kron.

Security advisers typically urge organisations in similar situations to encourage staff, students and parents to change passwords on any other online services that might share the same credentials, and to adopt multi-factor authentication wherever possible.

Sector pressures

Education systems across Asia Pacific manage large and frequently changing user populations. These include students, alumni, staff, contractors and technology partners. This scale often combines with constrained budgets, legacy platforms and varied levels of cyber security maturity between institutions.

Nishiyama said these pressures increase the need for clear governance and investment in core controls rather than fragmentary solutions.

"Safeguarding student data is a core organisational function that underpins trust in education systems and the services that support them. Maintaining trust requires sustained investment in governance, modern security controls and a culture that treats data protection as an operational priority, not an afterthought," said Nishiyama.