Out-Law News 1 min. read
09 Aug 2011, 1:41 pm
Names, addresses, photographs and medical history were among the pieces of information on 7,600 pupils compromised during the attack, the Information Commissioner's Office (ICO) said. More personal information belonging to pupils' parents and teachers was also put at risk by the attack, it said.
Organisations responsible for holding personal data must secure it from "unauthorised or unlawful processing ... and against accidental loss or destruction of, or damage to, personal data," a principle of the Data Protection Act provides.
The attack occurred in March when computer hackers, including at least one school pupil, hacked into the website of Bay House School in Hampshire. The hackers used a password uncovered during the website attack to gain access to other systems that contained information allowing the hackers to expose the personal data, the ICO said.
"The security of the school website had been compromised by a member of staff who had used the same password to access both the school’s website and data management systems," the ICO said in a statement.
"This password was subsequently discovered during the original hacking incident and then used by a pupil to access other parts of the system. The school had advised staff to avoid the use of duplicate passwords; however, no checks were in place to make sure this policy was being followed," the statement said.
The school reported the security breach to the ICO on 17 March and the headteacher has now signed undertakings that commit the school to separate and encyrpt sensitive personal data it stores from basic identification and contact details. It has also committed to using different passwords for accessing different areas of information on its systems.
“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure," Sally Anne Poole, Acting Head of Enforcement at the ICO said.
"This is particularly important when the systems allow access to sensitive information relating to young adults. We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold,” Poole said.
