Leutchford said it complicated their investigation but could also carry “serious legal consequences if certain information was downloaded, shared or reposted”.
Loading
“Exploring the dark web and accessing this material on personal devices may expose families to unnecessary and very serious risks,” she said.
A parent at the school, who asked not to be identified, said families’ anxiety about the hack went far beyond compromised passports or bank account details.
“Parents can handle bank accounts, but your kids’ private information, once that’s out, you can’t undo that,” she said.
The principal said it was likely the students accessed the dark web outside school using laptops, computers or mobile phones at home, and warned parents about the importance of digital responsibility.
Interlock listed the school as one of its victims on a leak site, saying Loyola was “very poorly protected in our reality and therefore data was compromised”.
“The full history and database of all students and all their private information were freely available! Also, a large number of financial, legal and other documents!”
Interlock claims it has hacked 67 victims across the world, 14 of which were educational institutions. Loyola College was the first Australian school targeted by the group, but Interlock has been linked to other cyber-security breaches in Australia.
According to cyberdaily.au, Interlock published several sample documents from Loyola, including passports of current and past employees, detailed financial records, tax details and court orders.
Interlock has been targeting groups in North America and Europe since September 2024 and is described by the FBI as opportunistic and financially motivated.
Scotch College in Hawthorn was the target of a cyberattack in August.Credit: Joe Armao
The group has used a “double extortion model” by which vital data is stolen through encryption and subject to ransom demands. But it is unclear if the hackers have tried to extort Loyola in this way.
Cyber safety expert Susan McLean said schools were notorious for having “really slack and easily hackable systems”.
“It needs to be a wake-up call for all schools to look and improve their systems,” she said.
McLean said there were two parts to the hacking; the monetary element of banking details or enough personal information for identity theft, and the other was simply being a pest and proving they could do it.
Parents can change their credit card numbers if bank details are hacked, “but if your personal information is out there – that’s not good in any shape or form”.
“It will lead to bullying and harassment,” she said.
“The question for the school is, ‘what are you doing to discipline the kids who do this? Do you have school rules around this? If you don’t, you need to’.”
She said children can easily access the dark web, and she knew children did so because she fields questions about whether their dark web activity was traceable.
Loading
Last year, there were 1446 students enrolled at Loyola, which employed 131 teaching staff and 79 non-teaching staff.
A Melbourne Archdiocese Catholic Schools spokesperson, speaking on the college’s behalf, said the relevant government authorities, including Victoria Police, had been notified of the hack.
“Our external forensic digital experts are still working to understand the full nature of information that has been accessed. Investigations of this kind do, unfortunately, take time,” she said.
“As this ongoing investigation reveals further details, we are calling impacted individuals or, where appropriate advising them in writing.”
The spokesperson said that extra online security was now in place at Loyola and other Catholic schools around Melbourne and that students, staff and parents at the college were receiving support and advice.
The federal government’s Australian Cyber Security Centre would not comment on the incident.
The Loyola incident follows a cyberattack at top boys’ school Scotch College in early August. Principal Dr Scott Marsh said an investigation found only a limited amount of information had been accessed by a third party.
In an email to parents, seen by The Age, Marsh said the school had taken a cautious approach and reviewed files identified as likely to be at risk. He said the school would contact those people whose information it thought might have been accessed.
To report cybercrime and cyber security incidents, visit www.cyber.gov.au/report, or call Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.