Data Protection Breach Puts 20K Personal Details at Risk

Jay Decenella, IT audit expert
August 08, 2011 /

Some 20,000 individuals might be seeing their personal details being exposed to third parties as the Bay House School in Hampshire has suffered from a data protection breach with its Web site.

The compromise went as far as putting at risk the personal information of some 7,600 pupils. The Information Commissioner’s Office (ICO) has charged Bay House with violations against the Data Protection Act, in addition to separate charges filed against Lewisham Homes and Wandle Housing Association for lax handling of their tenants’ bank account information.

The breach that occurred in March involving one of the school’s pupils has exposed pupils’ names, addresses, photographs and some sensitive information relating to their medical history, according to the ICO.

The privacy commissioner added that the personal information relating to the pupils’ parents and teachers was also compromised during the breach.

“The problem was identified shortly after the hack occurred and the security of the website was immediately restored,” it said.

“The school reported the breach to the ICO on 17 March.”

The ICO’s investigation showed that the security of the school’s Web site had been compromised by a member of staff who had used the same password to access both the school’s Web site and data management systems.

“This password was subsequently discovered during the original hacking incident and then used by a pupil to access other parts of the system,” the ICO said.

Although the school had advised its staff to avoid the use of duplicate passwords, no checks were in place to make sure this policy was being followed.

Ian Potter, Head Teacher of Bay House School, has signed an undertaking to ensure that all reasonable measures are already in place to encrypt and separate sensitive and confidential data held on the school’s management system.

The undertaking binds the school to make sure that all of their staff understands the school’s guidance on the use of passwords.

The school’s Web site will also be regularly tested to ensure that the personal information they hold remains secure.

Sally Anne Poole, Acting Head of Enforcement said:“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure.

“This is particularly important when the systems allow access to sensitive information relating to young adults.

“We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold.”

 

Share your opinion