School suffers major data breach at the hands of one of its own pupils
According to the Information Commissioner's Office (ICO), a pupil of Bay House School in Hampshire discovered the password which allowed access to the personal details of nearly 20,000 individuals, including 7,600 pupils. This broke the Data Protection Act.
The details included pupils' names, addresses, photographs and some sensitive information relating to their medical history, along with personal information relating to parents and teachers.
Sally Anne Poole, acting head of enforcement at the ICO, confirmed that the school had advised staff to avoid the use of duplicate passwords; however no checks were in place to make sure this policy was being followed. She said: “While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults.
“We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold.”
David Emm, senior security researcher at Kaspersky Lab, said: “This case highlights the importance of using distinct passwords for different computer accounts. Sadly, all too often the same password is used for everything.
“This breach also raises another important point. With so many different online accounts, how do we remember unique passwords for each one? Especially if we want to take the precaution of creating complex, difficult to guess passwords that mix letters, numbers and non-alpha-numeric characters.”
Colin Woodland, VP EMEA at IronKey, said: “As long as the ICO don't have to make public the rationale for their judgements into individual cases, then organisations will lack clear guidance on what will happen to them when they lose data or have a data breach and sadly we'll never see an end to horror stories of this type appearing in the press.”
Aziz Maakaroun, managing partner at vulnerability management solutions provider Outpost24 UK, said: “This is a particularly worrying attack for a number of reasons. Firstly, accessing the personal information of children and posting them online holds serious consequences. Secondly, the attack was a result of a basic error that could have easily been avoided if policy had been adhered to.
“The final and most shocking development in this torrid tale is that the attack came from within. Indeed, the hacker was a pupil at Bay House, and he or she leaked the personal information of fellow students and their families.
“Recent months have seen a rush of attacks, from high level targets to relatively simple e-vandalism on celebrity websites. That a school is the latest victim is a new twist on this saga, and a frightening one. Many parents will be rightly be concerned about the risk posed to themselves and their children should such data fall into the wrong hands.”