A shadowy deal has been uncovered: a US-based educational technology firm, EduVault Systems, paid a known cybercriminal group to delete sensitive student data after a failed breach. Sources confirm the company, which manages data for over 200 school districts globally, handed over a five-figure sum in cryptocurrency to the “DarkNet Retrievers” to cover up evidence of their initial hack. The group had already exfiltrated records of 50,000 students, including names, addresses, and special educational needs files.
EduVault then paid to have those records deleted, hoping to avoid scandal. But British cybersecurity standards, specifically the UK’s Cyber Essentials framework, prevented the deletion from reaching UK-based servers. The UK’s National Cyber Security Centre (NCSC) detected the anomalous deletion request and isolated the affected systems.
Internal documents leaked by a whistleblower show the company’s CEO authorized the payment, calling it “the cheapest option.” The NCSC has referred the matter to the Information Commissioner’s Office, which is investigating possible violations of the Data Protection Act. Ofcom is also probing whether EduVault misled schools about their compliance with UK standards.
This story reveals the ugly truth: companies will pay criminals to bury their mistakes. The real cost will be borne by the students whose futures were traded for a bit of silence.
