Victorian Government agencies are scrambling to evaluate their exposure after a widely-used technology services provider last week suffered a cyber attack that risks exposure of the personal and health details of thousands of students and their families.

PNORS Technology Group businesses Datatime and Netway – which provide document and data capture, digital conversion and managed IT services for clients including government agencies – were reportedly hit by ransomware before cyber criminals contacted the firm with a sample of purportedly stolen data.

The breach “is still being investigated and we are working closely with all authorities to assess how many of our clients have been impacted and the nature of the data that has been stolen,” PNORS CEO Paul Gallo said in a statement.

PNORS’ five subsidiaries have over 1,000 clients in total, with the customer base of the affected organisations including six Victorian government clients including the state Department of Education and Training (DET).

Compromised data, reports indicate, include details of children and family issues provided on the School Entrant Health Questionnaire (SEHQ) – which, the government says, “lets parents record concerns and observations about their child’s health and wellbeing” when commencing school.

Victorian Department of Premier and Cabinet (DPC) spokespeople said the organisation was aware of the hack, and is working with PNORS to better understand its full impact.

Private data relating to former and current students of Melbourne-area private school Kilvington Grammar School was also under threat, The Age reported, after that institution said separately that it had been hacked in recent days.

Educational institutions are regularly targeted by cyber criminals, with the Office of the Australian Information Commissioner (OAIC) recording 32 reported data breaches in the sector during the second half of 2021 alone – including seven incidents that had been identified as malicious or criminal attacks.

And while education providers were better than those in other industries at identifying and reporting their breaches quickly – 91 per cent did so within 30 days of its occurring, compared with around two-thirds of insurance companies – they were also extremely prone to human error, which was identified in 75 per cent of reported breaches.

Only as secure as your weakest link

With a new ANU survey finding that 1 in 3 of the 3,500 surveyed Australian adults had been exposed to a data breach in the last 12 months, the compromise of PNORS highlights the ongoing problems companies face as they entrust sensitive data to third parties whose cyber security protections are outside of the companies’ immediate control.

Such supply-chain vulnerabilities have become major vulnerabilities for companies of all types, according to recently released research from security firm BlackBerry that found 80 per cent of the 1,500 surveyed IT decision makers had been notified of an attack or vulnerability in its supply chain in the last 12 months.

Ninety per cent of respondents took up to a month to recover, the survey found, with 59 per cent reporting significant operational disruption, 58 per cent reporting data loss, and 52 per cent watching their reputation take a hit.

“While most have confidence that their software supply chain partners have policies in place of at least comparable strength to their own, it is the lack of granular detail that exposes vulnerabilities for cyber criminals to exploit,” said BlackBerry vice president of product security Christine Gadsby.

Unknown vulnerabilities “can wreak havoc across not just one enterprise, but several,” she continued. “How companies monitor and manage cyber security in their software supply chain has to rely on more than just trust.”

The PNORS compromise is the latest in a series of breaches that have successfully exploited weak spots in organisational supply chains to access and steal sensitive data.

Last week, for example, real estate firm Harcourts was compromised, releasing large volumes of personal data just days after up to 40,000 customers of Australian Defence Force (ADF) supplier ForceNet were compromised in a compromise of that firm’s systems that came on the heels of the massive breaches of Medibank, MyDeal, and Optus.