Waverley Christian College

Summary

On 16 December 2024, the Fog ransomware group listed Waverley Christian College, a Victorian independent school with campuses in Wantirna South and Narre Warren South, on its dark web leak site claiming to have stolen 5 gigabytes of data. The compromised information reportedly included financial and insurance documents, internal correspondence, employee driver licenses, and contact details. The college confirmed the cyber incident and engaged external cybersecurity experts while notifying the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.

What Happened

Waverley Christian College, a non-denominational Christian independent school operating two campuses in Melbourne's southeast, was targeted by the Fog ransomware group in December 2024. The attack became public when Fog listed the school on its dark web leak site on 16 December 2024, claiming to have stolen 5 gigabytes of data.

The compromised data claimed by the threat actors included:

• Financial and insurance documents
• Internal correspondence and communications
• Employee personal information including driver licenses
• Contact details for staff and potentially students/families

The specific attack method was not disclosed by the school. Ransomware groups typically gain access through compromised credentials or vulnerable remote access systems, then exfiltrate data before deploying encryption to extort payment.

Impact on Individuals

The breach affected the Waverley Christian College community, including current and former staff, students, and families. The specific number of impacted individuals was not disclosed, though the school serves students across two campuses in Melbourne's southeast suburbs.

Compromised information created several risk vectors:

• Identity theft: Driver licenses combined with names and contact details provided sufficient data for identity fraud attempts
• Targeted scams: Knowledge of staff roles and school affiliations could enable convincing phishing campaigns or social engineering attacks targeting families
• Privacy violations: Internal correspondence and financial records could expose sensitive school operations or personal staff matters
• Child safety concerns: Any student data exposure created heightened risks given the vulnerability of children to exploitation

For educational institutions, data breaches carry particular sensitivity due to the age of students and the trust relationship between schools and families. Parents entrust schools with detailed family information for enrollment, emergency contacts, and student welfare, expecting robust protection of this data.

The exposure of financial and insurance documents could reveal budgetary information, employee compensation details, or commercially sensitive arrangements that schools would not typically disclose publicly.

Organisational Response

Waverley Christian College confirmed it was investigating the claims made by the Fog ransomware group. The school took immediate steps to engage external cybersecurity experts to assess the breach scope and remediate vulnerabilities.

The college notified both the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC), fulfilling its regulatory obligations under the Notifiable Data Breaches scheme. The school indicated it would notify affected individuals directly as the investigation progressed and impact was determined.

The college did not publicly disclose whether Fog had issued ransom demands, whether the school's operational systems were encrypted, or what specific security weaknesses enabled the attackers to gain initial access and exfiltrate data within what Fog claims was a rapid attack timeframe.

As an independent school, Waverley Christian College would need to balance transparency with families against operational security considerations and ongoing law enforcement engagement related to the ransomware investigation.