UK: Hampshire school breached data protection rules
From the Information Commissioner’s Office:
Bay House School in Hampshire breached the Data Protection Act after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website.
The hack – which happened in March and involved one of the school’s pupils – exposed pupils’ names, addresses, photographs and some sensitive information relating to their medical history. Personal information relating to the pupils’ parents and teachers was also compromised during the breach. The problem was identified shortly after the hack occurred and the security of the website was immediately restored. The school reported the breach to the ICO on 17 March.
The ICO’s investigation uncovered that the security of the school website had been compromised by a member of staff who had used the same password to access both the school’s website and data management systems. This password was subsequently discovered during the original hacking incident and then used by a pupil to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords; however, no checks were in place to make sure this policy was being followed.
Sally Anne Poole, Acting Head of Enforcement said:
“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults.
“We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold.”
Ian Potter, Head Teacher of Bay House School, has now signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school’s management system. The school will make sure that all of their staff understands the school’s guidance on the use of passwords. The school’s website will also be regularly tested to ensure that the personal information they hold remains secure.