Bay House School in Hampshire has admitted to breaching the Data Protection Act after the personal details of nearly 20,000 individuals, including 7,600 pupils, were put at risk during a hacking attack on its web site.
The hack, which occurred in March, exposed pupils' names, addresses, photographs and some sensitive information relating to their medical history.
Personal information relating to the pupils' parents and teachers was also compromised during the breach.
The problem was identified shortly after the hack and the security of the site was immediately restored. The school reported the breach to the ICO on 17 March.
The Information Commissioner's subsequent investigation found that the security of the school web site had been compromised by a member of staff who had used the same password to access both the school's site and its data management systems.
This password was found by a pupil and used to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords; however, no checks were in place to make sure this policy was followed.
Sally Anne Poole, acting head of enforcement, said: "While it can be difficult to remember lots of different passwords, it is important that individuals do not use the same password to log in to data systems that are supposed to be secure. This is particularly important when the systems allow access to sensitive information relating to young adults.
"We are pleased that Bay House School has agreed to take action to improve the security of the personal information it holds."
Ian Potter, head teacher of Bay House School, has now signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's management system. Bay House will make sure that its staff understands the school's guidance on the use of passwords.
The school's web site will also be tested regularly to ensure that the personal information it holds remains secure.