09 Aug 2011
Bay House School in Hampshire has admitted to breaching the Data Protection Act after the personal details of nearly 20,000 individuals, including 7,600 pupils, were put at risk during a hacking attack on its web site.
The hack, which occurred in March, exposed pupils' names, addresses, photographs and some sensitive information relating to their medical history.
Personal information relating to the pupils' parents and teachers was also compromised during the breach.
The problem was identified shortly after the hack and the security of the site was immediately restored. The school reported the breach to the ICO on 17 March.
The Information Commissioner's subsequent investigation found that the security of the school web site had been compromised by a member of staff who had used the same password to access both the school's site and its data management systems.
This password was found by a pupil and used to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords; however, no checks were in place to make sure this policy was followed.
Sally Anne Poole, acting head of enforcement, said: "While it can be difficult to remember lots of different passwords, it is important that individuals do not use the same password to log in to data systems that are supposed to be secure. This is particularly important when the systems allow access to sensitive information relating to young adults.
"We are pleased that Bay House School has agreed to take action to improve the security of the personal information it holds."
Ian Potter, head teacher of Bay House School, has now signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's management system. Bay House will make sure that its staff understands the school's guidance on the use of passwords.
The school's web site will also be tested regularly to ensure that the personal information it holds remains secure.
I think some issues arise from the fact that the Data Protection Act doesn't actually specify which security measures should be in place to prevent data breaches. http://bit.ly/pSGrNr It's good to see they are testing the school's website regularly, but what are they doing about the physical security of laptops that contain sensitive information? Are they even using laptop locks?
Posted by: Mari 23 Sep 2011
Have your say on this article
Newsletters
Latest stories from Security
Latest videos
You may also like
Security jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
