Today the Information Commissioner’s Office announced a data protection act breach at the Bay House School in Hampshire which placed data belonging to nearly 20,000 people at risk.
Reading the ICO report, it appears this breach was the result of an attack on its website and the fact that members of staff re-used passwords for multiple systems.
The hack – which happened in March and involved one of the school’s pupils – exposed pupils’ names, addresses, photographs and some sensitive information relating to their medical history. Personal information relating to the pupils’ parents and teachers was also compromised during the breach. The problem was identified shortly after the hack occurred and the security of the website was immediately restored. The school reported the breach to the ICO on 17 March.
The ICO’s investigation uncovered that the security of the school website had been compromised by a member of staff who had used the same password to access both the school’s website and data management systems. This password was subsequently discovered during the original hacking incident and then used by a pupil to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords; however, no checks were in place to make sure this policy was being followed.
The good news, for the school at least, is that the ICO has not issued a monetary fine at this time – however the school will have to undertake measures to provide significant improvements to its security.
As a result of the Undertaking, the school will have to implement appropriate measures to encrypt and segregate data, ensure staff awareness and carry out penetration tests on at least an annual basis.
Now, all of this really is good practice and you would be right in thinking that anyone handling sensitive personal data (especially 20,000 records including the details of school children) would have already implemented this. We would certainly encourage any organisation which has personal data to do this.
One important thing to bear in mind, is that it is always more cost effective to implement measures like this at the outset – design them in as part of a long term strategy – rather than wait until a breach forces you to act. Taking the proper measures in advance gives you much greater flexibility in how they are deployed, how they are resourced and most importantly saves you the inevitable reputational damage.
Halkyn Consulting security team are always available to offer advice and guidance on how to best implement security controls to protect sensitive personal data. Get in touch today to see how we can help your business both comply with the law and properly safeguard the data people have entrusted into your hands.