An Adelaide school’s cyber incident has escalated into a full data publication event, with a ransomware group releasing alleged student and staff records on the dark web – raising questions about notification timelines, regulatory obligations, and underwriting exposure in the Australian education sector.
More than two weeks after Reynella East College first notified parents of a system-wide breach, the threat actor behind the attack went public – releasing what it claims is more than 600 gigabytes of school data on its darknet leak site on June 23, 2026, according to Cyber Daily.
The Adelaide school, which serves students from preschool to Year 12 and enrols more than 1,900 students, had first informed parents of the breach on June 9, 2026. At that point, no threat actor had yet claimed responsibility. The roughly 14-day gap between initial disclosure and eventual data publication is the period during which insurer notification, legal privilege over forensic findings, and containment decisions would ordinarily be made.
The ransomware group, Interlock, said in its June 23 leak post that it had extracted more than 473,000 files across more than 68,000 folders, according to Cyber Daily. An independent file review by Cyber Daily identified passport scans of international students and teaching staff, plaintext credential lists (unencrypted usernames and passwords stored in readable form), student and family contact records, internal teaching documents, and school budget files among the published data.
The school’s June 9 letter to parents – co-signed by its principal and chief information officer – stated: “There has been a cyber security breach impacting all of our school’s computer systems. The Department for Education is working closely with our school and specialist teams to understand what has happened and restore systems as quickly as possible. It is unlikely our school’s ICT systems will be back online this week.” The letter also confirmed that classes were continuing and that further advice would be provided if investigations confirmed any impact on personal information.
Reynella East College did not respond to Cyber Daily’s requests for comment as of publication.
The nature of the data allegedly exposed in this incident creates a liability profile that differs materially from a standard corporate breach. Passport scans, family contact details, and student identification records belonging to minors carry long-tail identity fraud risk – harm that may not manifest for months or years after the initial exposure. For insurers assessing cyber and liability portfolios in the education sector, that extended timeframe has direct implications for how tail exposure is estimated and reserved.
The regulatory dimension adds a further layer. Under the Privacy Act 1988 (Cth), entities are required to take reasonable steps to protect personal information from misuse, interference, and loss. The Notifiable Data Breaches (NDB) scheme’s operative test for notification is whether a data breach is likely to result in serious harm to one or more individuals. Given that the data allegedly exposed includes identity documents and contact records belonging to minors, an entity in Reynella East College’s position would ordinarily be required to assess that threshold carefully rather than assume it has not been met.
The OAIC has been explicit about its expectations in cases involving ransomware. In its Notifiable Data Breaches Report for January to June 2024, the OAIC stated that paying a ransom to a cybercriminal would not be sufficient to prevent serious harm to affected individuals, and that it is unlikely a reasonable person would accept that a cybercriminal would honour any agreement with respect to personal information. That position is directly relevant to any coverage structure that includes a ransom payment component: payment does not extinguish notification obligations under the NDB scheme.
The OAIC has also signalled a more active enforcement posture. Australian Privacy Commissioner Carly Kind wrote in the same report that after six years of the NDB scheme, it is no longer acceptable for privacy to be an afterthought, and that entities need to take a privacy-centric approach in everything they do. For management liability underwriters assessing directors’ and officers’ exposure, that statement reflects a regulatory environment in which the consequences of inadequate information security governance are increasingly likely to attract formal scrutiny.
Interlock has been active since at least late 2024 and has listed 111 ransomware victims to date, with a concentration in the education and manufacturing sectors across North America, according to Cyber Daily. The Reynella East College incident marks the group’s first claimed attack on an Australian organisation. The group’s ransom note, as cited by Cyber Daily, read: “We have taken control of your systems, encrypted your critical files, and extracted sensitive data. This is a pivotal moment for your organisation – your actions now will determine the outcome.”
Interlock is known to exploit compromised websites and social engineering as initial access vectors, including a technique called ClickFix, which presents victims with fraudulent CAPTCHA prompts to deliver malicious payloads. Once inside a network, the group encrypts files while simultaneously exfiltrating data – the dual pressure mechanism that defines double-extortion ransomware. Cyber Daily also reported that FBI evidence points to operational links between Interlock and the Rhysida ransomware group.
The Reynella East College attack is one of several cyber events to hit Australian educational institutions within a short period, pointing to a sector-wide exposure profile that insurers may need to assess.
The University of Western Australia disclosed a breach in June 2026 after database access credentials were unintentionally published online, according to Cyber Daily. The exposed system – Callista, the university’s student information management platform – was accessed without authorisation before the vulnerability was identified and closed. Affected data included names, student IDs, partial dates of birth, phone numbers, personal email addresses, postcodes, and enrolment statuses. The university told Cyber Daily that financial details were not accessed and that no other systems were affected.
Notably, this was the university’s second disclosed breach within six months, following a separate incident in August 2025 that required a system-wide password reset, per Cyber Daily. Repeat incidents within a compressed timeframe are a factor underwriters may consider when assessing whether an insured’s post-incident remediation was adequate and whether accumulated exposure warrants adjustment to coverage terms or pricing.
West Australian educational publisher R.I.C. Publications also disclosed an incident around the same period, after a threat actor posted what they claimed was purchasing data from more than 116,000 customers to an online hacking forum, according to Cyber Daily. An R.I.C. Publications spokesperson told Cyber Daily: “We have also become aware that a third party has published a document online claiming to contain data obtained from our systems without authorisation. We understand this news may cause concern, and [we] wish to assure our stakeholders that we are investigating this claim as a priority.” The company confirmed payment information was not among the data involved and said it was engaging cyber security specialists and relevant authorities.
These incidents reflect a documented pattern in national breach reporting. The OAIC’s Notifiable Data Breaches Report for January to June 2024 placed education fourth among the top five sectors by breach notifications. In that period, the education sector accounted for 44 notifications – 8% of all notifications received nationally.
Ransomware incidents, of the kind Interlock is alleged to have used against Reynella East College, carry a particularly significant individual impact. In the January to June 2024 period, ransomware notifications carried an average of 295,555 individuals affected per incident.
The most recent OAIC reporting period, covering January to June 2025, recorded 532 data breach notifications. Malicious or criminal attacks accounted for 59% of all notifications, with cyber security incidents as the predominant source within that category. The average number of individuals affected per cyber incident was just over 10,000. Human error accounted for 37% of all notifications – up from 29% in the preceding period – reinforcing that technical controls alone do not eliminate data breach exposure, per the OAIC’s NDB statistics dashboard.
The frequency and character of these incidents align with broader trends documented at the national level. The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre Annual Cyber Threat Report 2024-25 recorded more than 1,200 cyber security incident responses during the financial year – an 11% rise from the prior year. The volume of proactive notifications to entities about potential malicious cyber activity grew 83% year-on-year to more than 1,700 instances.
The ASD’s ACSC report identified credential theft as a persistent attack vector, with cybercriminals purchasing stolen usernames and passwords through dark web markets to gain unauthorised access to email, financial, and social media accounts. The report also noted that artificial intelligence is almost certainly enabling malicious actors to scale up attack operations and accelerate their execution – a development with potential implications for both claims frequency and severity across cyber portfolios.
Financial loss data from the same report illustrates the growing cost burden on businesses. Self-reported cybercrime losses per incident for large businesses climbed 219% to an average of $202,700 in FY2024-25. Medium businesses reported an average of $97,200, up 55%, while small businesses reported $56,600, up 14%.
The Reynella East College incident brings together several of the risk factors that characterise the current Australian cyber threat environment: a sector with documented and rising breach frequency, a threat actor employing double-extortion tactics against an organisation holding sensitive data belonging to minors, a regulatory environment with escalating enforcement expectations, and a 14-day window between initial disclosure and data publication. For insurers, each of those factors bears on coverage response, claims reserving, and underwriting appetite – and their convergence in a single incident is a signal worth examining.
