A confirmed cyberattack on Reynella East College, an Adelaide school serving more than 1,900 students from preschool to Year 12, has escalated into a full data publication event. The Interlock ransomware group released what it claims is more than 600 gigabytes of stolen school data on its darknet leak site on June 23, 2026, roughly two weeks after the school first notified parents of a system-wide breach on June 9, 2026. According to reporting by Cyber Daily, the dump includes passport scans, plaintext credentials, contracts, financial reports, and identification numbers belonging to students, families, and staff.
What Happened
Reynella East College first informed parents of a cyber security breach on June 9, 2026, in a letter co-signed by its principal and chief information officer. The letter stated: "There has been a cyber security breach impacting all of our school's computer systems," and warned that ICT systems were unlikely to return online that week. At the time of initial disclosure, no threat actor had claimed responsibility, and the school noted classes were continuing while the Department for Education and specialist teams worked to restore systems.
The situation escalated on June 23, 2026, when the Interlock ransomware group went public on its darknet leak site, claiming responsibility and publishing the stolen data. The roughly 14-day gap between the school's initial disclosure and the eventual data dump is the window in which insurer notification, legal privilege over forensic findings, and containment decisions would ordinarily occur. Reynella East College did not respond to Cyber Daily's requests for comment as of publication.
What Was Taken
Interlock claims to have extracted more than 473,000 files spanning over 68,000 folders, totaling more than 600 gigabytes. An independent file review conducted by Cyber Daily identified the following among the published data:
- Passport scans of international students and teaching staff
- Plaintext credential lists, meaning unencrypted usernames and passwords stored in readable form
- Student and family contact records
- Internal teaching documents
- School budget and financial files, alongside contracts and identification numbers
The sensitivity profile here is severe. Identity documents and contact records belonging to minors carry long-tail identity fraud risk, with potential harm that may not surface for years. The presence of plaintext credentials compounds the exposure, offering attackers ready-made access to any system where those credentials were reused.
Why It Matters
This incident illustrates the distinct liability profile of an education-sector breach. Unlike a standard corporate compromise, the exposed data centers on minors and includes government-issued identity documents that cannot be reissued as easily as a password. That creates a long-tail fraud exposure for families that may persist well beyond the immediate news cycle, and it raises pointed questions about notification timelines and regulatory obligations under Australian privacy law.
For defenders, the case is a reminder that the breach disclosure clock and the data publication clock are separate events. The two-week window between the June 9 notification and the June 23 dump is when a victim still has leverage to contain, notify, and prepare. Treating the initial intrusion as the end of the incident, rather than the start of a publication countdown, leaves organizations flat-footed when stolen data finally surfaces.
The Attack Technique
Interlock is a ransomware-and-extortion group that operates a darknet leak site to pressure victims who do not pay. The publicly available reporting does not specify the initial access vector used against Reynella East College. However, the recovery of plaintext credential lists from the environment is a strong indicator that credential hygiene was weak, and such files frequently serve as the pivot point for lateral movement and privilege escalation once an attacker gains an initial foothold.
The double-extortion pattern is on full display: the actor exfiltrated a large volume of data before or alongside any encryption, then published it when negotiations stalled or were declined. The sheer scale of the haul, more than 473,000 files across 68,000 folders, suggests broad, unsegmented access to file shares rather than a narrowly scoped compromise.
What Organizations Should Do
- Eliminate plaintext credential storage immediately. Audit file shares and document repositories for spreadsheets or text files containing usernames and passwords, and migrate to a managed secrets vault or password manager.
- Enforce phishing-resistant multi-factor authentication on all remote access, administrative accounts, and email, so that stolen credentials alone cannot grant entry.
- Segment networks and apply least-privilege access controls to limit how far an attacker can reach from a single compromised account, reducing the blast radius of an intrusion.
- Encrypt sensitive identity documents at rest, including passport scans and student records, so that exfiltrated files are not immediately usable.
- Maintain offline, tested backups and a rehearsed incident response plan that treats the period after initial detection as an active extortion countdown, not a conclusion.
- Prepare breach notification and regulatory workflows in advance, including engagement with privacy regulators and affected families, so the organization can act decisively within the narrow window before stolen data is published.
Sources: South Australian school data dumped online weeks after hack | Insurance Business