From the Information Commissioner’s Office:
Bay House School in Hampshire breached the Data Protection Act after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website.
The hack – which happened in March and involved one of the school’s pupils – exposed pupils’ names, addresses, photographs and some sensitive information relating to their medical history. Personal information relating to the pupils’ parents and teachers was also compromised during the breach. The problem was identified shortly after the hack occurred and the security of the website was immediately restored. The school reported the breach to the ICO on 17 March.
The ICO’s investigation uncovered that the security of the school website had been compromised by a member of staff who had used the same password to access both the school’s website and data management systems. This password was subsequently discovered during the original hacking incident and then used by a pupil to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords; however, no checks were in place to make sure this policy was being followed.
Sally Anne Poole, Acting Head of Enforcement said:
“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults.
“We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold.”
Ian Potter, Head Teacher of Bay House School, has now signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school’s management system. The school will make sure that all of their staff understands the school’s guidance on the use of passwords. The school’s website will also be regularly tested to ensure that the personal information they hold remains secure.
Schools typically acquire a good amount of medical information on students. In the U.S., if the school is not a HIPAA-covered entity (and most are not), a breach such as this one might not result in any notification to individuals. It makes no sense to me to say we notify individuals if the very same data were under the stewardship of a HIPAA-covered entity but not if it’s under a FERPA-covered entity.
Not everyone agrees with me on breach notification, of course. See a discussion we’re having on DataBreaches.net where I am outnumbered 2-1 on expanding notifications.
[It makes no sense to me to say we notify individuals if the very same data were under the stewardship of a HIPAA-covered entity but not if it’s under a FERPA-covered entity.]
It is because the healthcare breaches got publicity. Without publicity, the education breaches (and the breaches for every other industry that controls identifying personal information) will continue as they are now.
I have said that I work in the second-most regulated industry behind nuclear power. There are many days & weeks that I think that we’re moving towards being the most-regulated. Not because the nuc’s are shedding theirs, but because we’re adding so many.