The company said an investigation was under way. It has not yet confirmed whether any personal or financial data has been breached.
“We became aware of a recent cyber security incident, at which time we immediately enacted our cyber security response plan. Thanks to our robust business continuity plans, impact to our operations has been minimal,” Dino Varkey, group chief executive of Gems Education, said in an email sent to parents.
“It may be some time before we can determine the full extent of the incident,” Mr Varkey said.
Gems said it does not store the bank account details or credit card information of the families or guardians of its pupils. But it said some personal data could have been compromised.
That includes identification documents, financial information, such as payment history, and data related to creditworthiness, health or medical records, and log-in details, such as usernames and passwords.
The group has engaged third-party expertise and legal counsel to assist in its investigation.
“We have also notified the relevant authorities, including our education and data protection regulators and law enforcement. We are closely working with them and they continue to support us,” Mr Varkey said.
The cost of breaches amounted to an average of $3.6 million per incident for businesses alone, as companies rapidly digitised to ensure business continuity during the pandemic.
Overall, cyber criminal activities were projected to inflict damage worth about $6 trillion globally in 2021, a study by research company Cybersecurity Ventures found.
Message to parents
Gems has suggested a few guidelines and precautionary steps for parents to follow:
- Be suspicious if anyone contacts you by email, phone call or text message asking you to confirm your personal data or financial details;
- Change all your and your child’s passwords, including those for Gems accounts. Always use strong passwords and enable two-step authentication on all your online services;
- Check bank accounts regularly and contact the bank if you see any transactions that you do not recognise.