School payments service provider WisePay has reported that its website has fallen victim to a cyber attack between October 2 and October 5.
The cyber attack involved creating a spoof page, which allowed the attacker to gather the payment details of parents who made payments using WisePay to UK schools during that period. According to the firm, the attack affected attempted payments to about 300 schools.
However, WisePay claims that only a small number of parents would have used its system before it was taken offline.
Richard Grazier, managing director at the payments firm, said the type of cashless payments made, including exam fees and school meals. would not be done on a daily basis. He claimed: "Actually, it's quite a small subset of users of the platform."
The cyber attack was done on a Friday night and was not detected until the following Monday morning at 10:00 BST. Grazier said that upon detection of the attack, Wisepay's website was taken down.
He added that the system has since been restored and was now safe to use.
How the attack was carried out
The WisePay managing director explained that the attacker was able to locate a "backdoor" into the system's database and used it to modify one page. As a result of the modification, users who clicked to make a payment were redirected to an external page managed by the attacker.
The external page was designed to look like a legitimate payment page and users who entered their debit or credit card details were actually sending these data to the hacker.
This credit card skimming attack is sometimes called a Magecart hack, where attackers do not break into any databases to steal the information but instead take over the live payment page.
These types of attacks do not usually last very long as the attackers are usually detected fairly quickly and kicked out of the system so they have to choose targets that use highly active payment systems.
Addressing the hacking incident
The Information Commissioner's Office (ICO) and other investigators will attempt to determine how many customers lost their credit card details during the attack that lasted for three days.
In 2018, a similar attack occurred at British Airways' (BA) website for around 15 days, resulting to the theft of almost 400,000 customer credit card information. The ICO said it plans to place a fine of £183 million on BA due to the incident but the case is yet to be concluded.
Wisepay assured that it does not collect any payment information itself and had not leaked any of its own records. However, the company wrote a letter to schools, recommending them to ask parents who thought they might have been affected by the attack to pause or cancel their bank cards, as well as change any online banking passwords.
According to the ICO, WisePay notified it of "a potential data breach and we will be making further enquiries". The payments service firm also said that it is working with the police and has "engaged a computer forensics expert" whose work was ongoing.
