A Hampshire school has been criticised for losing nearly 20,000 people's personal details. Back in March, Bay House School lost personal details, names, addresses, photographs and some medical information on 7,600 pupils along with details of teachers and parents. In total just under 20,000 people were hit. An administrator …
"improve procedures including encrypting information and separating systems"
That's not the issue. This was a PEBKAC.
I foresee more of this happening
with the growth of mobile devices in schools.
...yet another harsh punishement handed out by the ICO. Oh wait.
While were at it, will ranty Derichleau be back on saying how hard public sector is hit by the ICO and the private sector is always let off?
and the pupil was punished ....
No, I doubt it.
If the pupil had had the gumption to pass on that s/he had been able to compromise the security integrity then I would be applauding his/her common sense if being slightly concerned that they had chosen hacking into systems as a recreational activity.
My partner is a schoolteacher. The password on his school laptop is
"password". He says that this is school policy because "the laptops are school property and any teacher can use any laptop".
Our policy is
Share your password with anyone and we break your thumbs.
We have to break more teacher thumbs than pupil thumbs though.
I'd like to see actual punishment for these types of problems.
Too often the "organisation" is "criticised" - big whoop. It should be the individual who is penalised; they are the ones in the position of responsibility to secure and protect the data in their charge.
If you're a sysad and you can't even use a complex password yourself, you don't deserve the job.
Fining places like this (and the NHS, quango's, train companies, etc.) doesn't work, because they just recoup their "loss" through higher fares or taxes...
but it isnt always the sysad. More often it is the SMT. I am forced to give SMT access to some data areas and VPN access that I would prefer not to and I know for a fact their ability to choose passwords is shite.
I block them off as much as I am able but if they ask for something I cannot say no.
I always make sure I document a good password policy and send it around to people every month, not much but it should cover my arse if *they* are the weak links
My sysad passwords are complex enough to keep brute force happy for a few millenia.
I hope the student was disciplined for this.
Hacking the school's website in the first place is arguably a criminal offence (depending on what the student did to 'hack' it).
And one has to wonder how or why a student was able to gain access to the database in question in the first place, regardless of whether they could guess the password. I seriously hope such a database wasn't accessible from the internet. If it was, then the School's IT management should probably also be the target of disciplinary action.
Hacking websites is against the law?
The next time one of mine are hacked im calling the cops.
Ummm, unauthorised access to a protected machine?
Yes, I believe this is _technically_ against the law, in the same way as dropping litter is. I wouldn't expect the cops to give much of a crap about it, but I think there are laws concerning it...
If I ran a school's website and one of the students hacked it, I'd expect them to be disciplined, just as if they'd broken into school grounds at night and sprayed graffitti on the wall.
There are several things wrong here.
Why the HECK did a school have details on 20,000 people to start with?
They have about 2,200 pupils on roll according to their ofsted.
That means they have details for 9 people per pupil on roll. That seems excessive.
Staff, ex pupils, enquirers, parents, carers, etc. etc.
2,200 pupils now, + pupils who have left and joined during the period of the database, + whoever is linked to the pupils (parents/guardians etc) possibly + applicants and waiting lists.
9 People/ Pupil?
Probably at least half of the data was expired - i.e. pupils who have left. That leaves 4/ pupil, which sounds about right - IIRC our son's school wanted details of two grandparents as well as parents, in case both parents die simultaneously, which happens more often that we would want to believe, e.g. in as car accident.
an alumni is usually kept.
Operational ? Auxilliary ?
Surely the schools data protection policy distinguishes between data required to run the school, and data not required to run the school ? I.e. that data should have been split between a live and archive database ?
I hope they feed them, let them out for walks etc. Alumni are people too.
I thought that you had to purge old personal data if it was no longer required for the purpose it was gathered for?
9 People per pupil
... sounds about right here in the US. Only one if 30 or 40 would be a teacher, of course; the rest have tenured nepotism jobs.
No onsite IT admin?
2200 pupils suggests a school staff of about 80. Not an IT company, so probably a little on the small side to be employing a full-time experienced sysadmin? Maybe under budgetary pressure to prioritise teaching and learning over backoffice stuff like IT admin? Their network would have 2200 presumed hostile attackers on it, maybe sharing network jacks with the 80 supposedly trusted, but likely undertrained staff.
There must be millions of organisations falling between the same two stools. Too large for the discipline of you defending your personally owned PC. Too small for enterprise tools and staffing.
Try more than trippleing that when you consider actual staff and anciliaries (cleaners, admin etc...) I worked at a school with 700 and there were 150 staff with maintenance, catering, housekeeping etc... we only had 2 1/2 IT staff there (one guy did A/V as a second role).
2200 pupils should warrant at least 5 IT staff full time - and that's being stingy. I'll bet they'd all been outsourced 'to save money', and the outsourcing company couldn't be bothered to do it's job properly ("it wasn't covered in the SLAs")
1 sysadmin, properly trained (and probably costing a hell of a lot less than the outsourcers charge) could have prevented this from happening.
I thought one of the principles of the DPA was to prevent organisations from hoarding data for its own sake. Most of the companies where I've worked had to implement fairly complicated methods for eliminating expired 3rd-party data by one-way scrambling.
Why should it be legitimate for a school to behave like a data pack-rat?
you're not wrong and I doubt it's untypical
I used to get marketing emails and letters from my old school many years after I left. I kept asking them to stop and to remove my details from their database, but they didn't. Eventually I went to whine to the Information Commissioner and it turned out the school had never registered as a data processor, despite having very sensitive data (on disability, mental health, religion, family issues etc) on thousands of kids.
Bet they don't have a date management policy either
so the DB will get bigger and bigger and backups (if they do them of course) will get slower and slower.
Might I suggest they fire the admin and hire the student part time.
I'm guess the student would not do something so dumb.
Note this should be widely publicised so parents know how much care will be taken of their personal details.
Sounds about right
When I was at school, 20 years ago, me and some friends ran the school computer room. The thick old bat laughingly referred to as a "teacher" couldn't find her aging saggy arse with both hands and a readme file, never mind run the system herself.
There was also the time at uni when I discovered that the walkup computers all had their own accounts, with masses of disk space allocated, and with no passwords. And to save time, the IT staff had pre-prepared a whole bunch of accounts, many of which weren't used. So if you could find an account that didn't have a computer hooked up to it, you had yourself a ton of extra disk space that could be used for useful stuff. Nice.
Basically, the problem is putting gear with security holes in an environment full of intelligent people with a ton of time on their hands. It's gonna go wrong.
Brings back memories...
Of when I got into my old college's database. Full personal details of every single pupil and member of staff who had ever walked through the door.
Funnily enough, they threatened me with expulsion until I pointed out how many data protection rules they where breaking.
Used to be easier
When I was a lad, the password list was a file that anyone could copy when logged in as administrator. Fortunately they hadn't gotten as far as to put everyone's personal details onto this, so if you wanted home addresses for classmates you had to take the register back the long route and stop to read the appendices.
The real issue ...
... is did the teachers lose any time on Facebook?
I recently saw the performance of a group of junior high kids who'd taken an improv comedy class. One of the bits had them in a bad classroom, and the teacher was too busy on facebook to notice cheating on the test, two kids kissing in the corner, a fire, and an armed gunman being defeated by Legos.
Somehow, I don't think "the clueless teacher on Facebook" character came from the void ... particularly given how the students in the audience were laughing.
I can confirm
that they keep alumni data. I worked at my old school for a while, being a couple of years out of uni at the time. My record on SIMS (eurgh) was still there and was made into a staff one. Some associated parts of SIMS they were using still had the Win3.x look and feel... in 2008.
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes