Global Schools Group, formerly known as Global Schools Foundation and one of the world's largest international education networks, has reportedly been hit by a ransomware attack. The ransomware crew FulcrumSec claims to have exfiltrated roughly 4.8 terabytes of sensitive data belonging to students, parents, and staff before listing the organization on its data leak site. Authorities in Singapore, where the group is headquartered, have opened an investigation while the organization assesses the full scope of the compromise.
What Happened
The incident surfaced publicly after FulcrumSec named Global Schools Group as a victim on its dark web data leak platform and threatened to publish the stolen files unless ransom negotiations advanced. This double extortion pattern, encrypt and exfiltrate, then pressure the victim with the threat of public disclosure, is now the standard operating model for most financially motivated ransomware operations.
Global Schools Group operates a large portfolio of international schools spanning multiple countries, serving tens of thousands of students. The breadth of that footprint means a single intrusion into shared back office systems can expose records across numerous campuses and jurisdictions at once. Singaporean authorities have been notified and an investigation is underway. As of publication the organization has not confirmed the full technical details, and the 4.8 TB figure remains a claim made by the threat actor rather than an independently verified total.
What Was Taken
According to FulcrumSec's claims, the stolen trove totals approximately 4.8 terabytes. For an education organization, data at that scale typically includes a dangerous concentration of personal information:
- Student records, including names, dates of birth, and enrollment details
- Parent and guardian contact and identity information
- Staff and employee human resources files
- Financial and tuition payment data
- Internal administrative and operational documents
Education sector data is especially sensitive because it concerns minors, whose identity information has a long shelf life for fraud and is difficult for victims to monitor or remediate. Until the organization completes its forensic review, the exact contents and the accuracy of the volume claim cannot be confirmed.
Why It Matters
The education sector has become a priority target for ransomware operators. Schools and universities hold rich stores of personal and financial data, often run on constrained IT budgets, and depend on continuity of operations that makes them more likely to pay. A 4.8 TB claim against an organization of this size signals deep access to core systems rather than a peripheral foothold.
For defenders, this incident is a reminder that international and multi-campus organizations carry concentrated risk: centralized administrative platforms and shared identity infrastructure turn one breach into an enterprise wide exposure event. The involvement of national authorities also underscores the regulatory and reputational fallout that now accompanies large education breaches.
The Attack Technique
The initial access vector has not been publicly disclosed. FulcrumSec's behavior fits the typical double extortion playbook, where operators gain entry, move laterally to locate and stage high value data, exfiltrate it, and then deploy encryption. Common initial access routes for groups operating this way include phishing, exploitation of internet facing applications and VPN appliances, exposed remote access services, and the use of stolen or weak credentials. Without confirmed forensic detail, defenders should treat all of these vectors as plausible and prioritize accordingly.
What Organizations Should Do
- Enforce phishing resistant multi factor authentication on all remote access, email, and administrative accounts to blunt credential based intrusions.
- Maintain offline, immutable, and regularly tested backups so that encryption alone cannot force a ransom payment.
- Segment networks to limit lateral movement, isolating student information systems and finance platforms from general user environments.
- Patch and harden internet facing systems, especially VPNs, remote desktop, and web applications, on an aggressive timeline.
- Deploy endpoint detection and response and monitor for large outbound data transfers that indicate exfiltration before encryption.
- Build and rehearse an incident response and breach notification plan, including legal and regulatory obligations across every jurisdiction the organization operates in.