BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Home / Intelligence / Education Sector Risk
● Intelligence Brief — Education Sector
Education & Children’s Data Risk

They Were Breached in 2025.
Here Is What Is Still Visible Today.

BlackFlag Advisory
Intelligence Team
13 May 2026
9 min read

Education sector alert: Australian schools are among the most targeted organisations for ransomware. This analysis shows what is publicly visible before an attacker even knocks on the door.

Assess Your School’s Exposure →

In 2025, Belmont Christian College in Lake Macquarie, NSW was listed on the Qilin ransomware group’s dark web leak site. The attack exposed student and staff personal details, immunisation records, Working With Children ID data, payment histories, and donation records. It was one of the most sensitive school data breaches recorded in Australia.

In May 2026, BlackFlag Advisory conducted a passive OSINT review of bcc.nsw.edu.au as part of our ongoing intelligence work on the Australian education sector. Everything in this article was found from publicly available sources. No systems were accessed. No credentials were used. No scanning tools were directed at the school’s infrastructure.

What we found raises a direct question: if these issues are visible to anyone who knows where to look, what else is the next threat actor going to find?

4
Critical findings from passive review
BlackFlag Advisory passive scan — May 2026
8
Subdomains publicly indexed
Including active VPN and enrolment portals
$0
Cost to discover all findings
Entirely from public sources — no systems accessed

What Happened — The Qilin Breach

The Qilin ransomware group listed Belmont Christian College on its dark web leak site in 2025. Qilin operates a double-extortion model — they encrypt files and simultaneously exfiltrate data, threatening to publish it unless a ransom is paid. The data allegedly stolen from BCC included student and staff personal details, immunisation records, Working With Children ID data, payment histories, and donation records.

For a school community, this is not simply a data breach. These are families who entrusted the school with the most sensitive details of their children’s lives — health records, identity documents, financial information. The exposure of Working With Children ID data in particular carries child safety implications that extend well beyond a typical corporate breach.

Children’s data carries heightened obligations Under the Australian Privacy Act, personal information about children is treated with additional sensitivity. The OAIC has been explicit that organisations holding children’s health, identity, and financial data must apply the highest standard of care under APP 11. A breach of this nature — involving immunisation records and Working With Children IDs — is exactly the category of incident the OAIC treats most seriously in enforcement.

What a Passive Review Found Today

A passive OSINT assessment of bcc.nsw.edu.au in May 2026 — conducted entirely from public sources, no systems accessed — returned the following findings.

Critical Finding 1: HSTS Not Implemented

HTTP Strict Transport Security is missing from the school’s web server. Without HSTS, browsers are not instructed to always use HTTPS when connecting to the site. This leaves the door open to SSL stripping attacks — where an attacker positioned between a user and the server downgrades the connection from encrypted HTTPS to unencrypted HTTP, enabling interception of login credentials, form submissions, and session data. For a site where parents log in to enrolment portals and submit personal information, this is a critical gap.

Critical Finding 2: Pre-Consent Tracking Active

Google Tag Manager, Google Analytics, and Facebook tracking pixels are firing on page load — before any consent mechanism is triggered. This means every parent, student, and community member who visits bcc.nsw.edu.au has their behavioural data collected and sent to overseas servers before they have been given the opportunity to consent or decline. Under Australian Privacy Principle 3, this is a collection breach. Under APP 8, the overseas transfer of this data without disclosure is a separate violation.

Critical Finding 3: No Privacy Act Reference in Policy

The school’s privacy documentation does not reference the Australian Privacy Act or the Australian Privacy Principles, and does not name a privacy contact. For an organisation holding children’s health records, identity documents, and financial data, this is a fundamental compliance failure. APP 1 requires organisations to have a clearly expressed privacy policy that identifies how personal information is managed — including the types of information held, the purposes for collection, and how individuals can access or correct their information.

Critical Finding 4: Overseas Data Transfers Not Disclosed

Facebook Conversion Tracking, Facebook Pixel, Facebook Signal, Microsoft Clarity, Google Analytics, and Lucky Orange are all active on the school’s website — all sending data to servers outside Australia. None of this is disclosed in the school’s privacy documentation. Under APP 8, organisations must either ensure overseas recipients are bound by equivalent privacy protections or obtain informed consent. Neither appears to be the case here.

High Severity Findings

Content Security Policy Missing

No Content Security Policy header is present on the school’s web server. A CSP is a browser-level defence against cross-site scripting attacks — one of the most common attack vectors against WordPress sites. Without it, malicious scripts injected into the page can execute in visitors’ browsers without restriction.

Eight Subdomains Publicly Indexed

Eight subdomains are publicly visible and indexed, including vpn.bcc.nsw.edu.au, enrol.bcc.nsw.edu.au, and newsletter.bcc.nsw.edu.au. The VPN subdomain is particularly significant — a publicly visible VPN endpoint is a direct attack surface. If the VPN software has known vulnerabilities, or if credentials from the 2025 Qilin breach are still in use, this is an active entry point into the school’s internal network.

Session Recording on a School Website

Microsoft Clarity and Lucky Orange are both active on bcc.nsw.edu.au. Both tools record live visitor sessions — mouse movements, clicks, keystrokes, and form interactions — in real time. On a school website where parents enter enrolment details, medical information, and payment data, live session recording of that interaction is a serious privacy concern that most parents would not expect or consent to.

WordPress CMS on SPF Soft Fail

The site runs WordPress — the most targeted CMS in the world — and the SPF record is set to soft fail only, meaning emails spoofed to appear as if they come from bcc.nsw.edu.au will pass many mail servers. In the context of a school where parents regularly receive communications about their children, a convincing phishing email appearing to come from the school is a highly credible social engineering vector.

Summary of findings from passive review

  • HSTS missing — HTTPS not enforced, SSL stripping risk for parent login sessions
  • Pre-consent tracking active — Google Analytics, GTM, Facebook Pixel firing before consent
  • Privacy policy does not reference the Australian Privacy Act or name a privacy contact
  • Overseas data transfers to Meta, Microsoft, and Google not disclosed under APP 8
  • Content Security Policy missing — cross-site scripting protection absent
  • VPN endpoint publicly visible — direct attack surface into internal network
  • Live session recording active — Microsoft Clarity and Lucky Orange on enrolment pages
  • SPF soft fail only — school domain spoofable for phishing against parents

What This Means for Children’s Data Under the Privacy Act

Independent schools in Australia are bound by the Privacy Act 1988 if they have an annual turnover of more than $3 million, or if they provide a health service. Schools that hold health records — including immunisation records — are health service providers under the Act regardless of turnover. Belmont Christian College holds immunisation records. The Privacy Act applies.

The combination of findings here — pre-consent collection, undisclosed overseas transfers, inadequate privacy policy, and data retained beyond what is necessary — represents exposure across multiple Australian Privacy Principles simultaneously. In the post-2024 enforcement environment, where the OAIC has demonstrated willingness to pursue civil penalties, this is not a theoretical risk.

More fundamentally: a school that has already been the victim of a ransomware attack, had student data stolen and published on a dark web leak site, and is now found to have these gaps still present a year later — is a school that has not completed its post-breach remediation. That is the finding that matters most.

What a passive assessment delivers BlackFlag Advisory’s passive OSINT GRC assessment identifies every finding in this article — and more — without accessing any school systems, disrupting any operations, or requiring any technical involvement from staff. The output is a structured report mapped to the Australian Privacy Principles and the ASD Essential Eight, with clear prioritised recommendations. Delivered within five business days.

What Schools Should Do After a Breach

  • Conduct an independent external assessment of what is publicly visible about your digital footprint — not an internal review, an independent one. What your IT team can see from inside is different from what a threat actor sees from outside.
  • Implement HSTS on all public-facing web properties. This is a one-line server configuration change that immediately closes the SSL stripping risk.
  • Audit every third-party tracker on your website. If you cannot justify why it is there, what data it collects, where it sends that data, and what consent basis you have for doing so — remove it.
  • Review your privacy policy against the Australian Privacy Principles. It must reference the Act, name a privacy contact, and accurately describe how data is collected, used, and transferred.
  • Assess your VPN endpoint. If staff VPN credentials were included in the data exfiltrated in 2025, rotate them immediately and consider whether the VPN software has been updated since the breach.
  • Review what data is still held from before the breach. Data retention policy — holding only what is necessary for as long as necessary — is both a Privacy Act obligation and a practical risk reduction measure.

Does Your Organisation Know
What Is Visible From Outside?

A BlackFlag Advisory passive OSINT assessment finds what this analysis found — and more — for your organisation. No systems accessed. No disruption. Board-ready report within five business days.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. The methodology is the same as what an attacker uses in reconnaissance — the difference is that we tell you what they find.