Coventry School Hacked Three Times Because of Reused Passwords and Lack of MFA

British authorities have reprimanded a Coventry school after hackers compromised its security three times before any real actions were taken.

Schools getting hacked is not uncommon, and it's easy to see why. Cybersecurity is not always a priority, and attackers know this all too well. What is rare, though, is for the same target to be hit multiple times in the same way.

The Information Commissioner's Office (ICO) said that unknown attackers compromised Finham Park Multi AcademyTrust's systems, with 1,843 UK citizens affected by the latest data breach. The reason was the lack of proper password policies.

The problem is that only after the third successful attack against the school were actual measures taken, according to CoventryLive.

"Finham Park failed to follow this guidance and failed to implement appropriate technical and organisational measures to secure its systems," said the ICO. "The Commissioner's Regulatory Action Policy sets out that where the Commissioner has issued advice, and this advice is not followed, the Commissioner will take this into account as an aggravating factor."

The Commissioner identified a number of problems that led to the security incidents. For example, the school didn't implement a proper lockout policy, not to mention that reversible password encryption was enabled.

Authorities also determined that people had too little training and didn’t understand why reusing passwords is a dangerous practice that could impact their workplace. Hackers would have had much more difficulty breaching the systems had these measures been in place from the beginning.

Fortunately, ICO says that, following the latest attack, the school finally made the necessary changes, including restoring systems from back-ups and implementing multi-factor authentication (MFA), doubled by a credential monitoring system, across the entire organization.