I foresee more of this happening
with the growth of mobile devices in schools.
A Hampshire school has been criticised for losing nearly 20,000 people's personal details. Back in March, Bay House School lost personal details, names, addresses, photographs and some medical information on 7,600 pupils along with details of teachers and parents. In total just under 20,000 people were hit. An administrator …
No, I doubt it.
If the pupil had had the gumption to pass on that s/he had been able to compromise the security integrity then I would be applauding his/her common sense if being slightly concerned that they had chosen hacking into systems as a recreational activity.
...yet another harsh punishement handed out by the ICO. Oh wait.
While were at it, will ranty Derichleau be back on saying how hard public sector is hit by the ICO and the private sector is always let off?
http://forums.theregister.co.uk/forum/1/2011/08/04/ico_says_public_sector_to_respond_to_twitter_/
I'd like to see actual punishment for these types of problems.
Too often the "organisation" is "criticised" - big whoop. It should be the individual who is penalised; they are the ones in the position of responsibility to secure and protect the data in their charge.
If you're a sysad and you can't even use a complex password yourself, you don't deserve the job.
Fining places like this (and the NHS, quango's, train companies, etc.) doesn't work, because they just recoup their "loss" through higher fares or taxes...
but it isnt always the sysad. More often it is the SMT. I am forced to give SMT access to some data areas and VPN access that I would prefer not to and I know for a fact their ability to choose passwords is shite.
I block them off as much as I am able but if they ask for something I cannot say no.
I always make sure I document a good password policy and send it around to people every month, not much but it should cover my arse if *they* are the weak links
My sysad passwords are complex enough to keep brute force happy for a few millenia.
Probably at least half of the data was expired - i.e. pupils who have left. That leaves 4/ pupil, which sounds about right - IIRC our son's school wanted details of two grandparents as well as parents, in case both parents die simultaneously, which happens more often that we would want to believe, e.g. in as car accident.
Hacking the school's website in the first place is arguably a criminal offence (depending on what the student did to 'hack' it).
And one has to wonder how or why a student was able to gain access to the database in question in the first place, regardless of whether they could guess the password. I seriously hope such a database wasn't accessible from the internet. If it was, then the School's IT management should probably also be the target of disciplinary action.
Yes, I believe this is _technically_ against the law, in the same way as dropping litter is. I wouldn't expect the cops to give much of a crap about it, but I think there are laws concerning it...
If I ran a school's website and one of the students hacked it, I'd expect them to be disciplined, just as if they'd broken into school grounds at night and sprayed graffitti on the wall.
2200 pupils suggests a school staff of about 80. Not an IT company, so probably a little on the small side to be employing a full-time experienced sysadmin? Maybe under budgetary pressure to prioritise teaching and learning over backoffice stuff like IT admin? Their network would have 2200 presumed hostile attackers on it, maybe sharing network jacks with the 80 supposedly trusted, but likely undertrained staff.
There must be millions of organisations falling between the same two stools. Too large for the discipline of you defending your personally owned PC. Too small for enterprise tools and staffing.
Try more than trippleing that when you consider actual staff and anciliaries (cleaners, admin etc...) I worked at a school with 700 and there were 150 staff with maintenance, catering, housekeeping etc... we only had 2 1/2 IT staff there (one guy did A/V as a second role).
2200 pupils should warrant at least 5 IT staff full time - and that's being stingy. I'll bet they'd all been outsourced 'to save money', and the outsourcing company couldn't be bothered to do it's job properly ("it wasn't covered in the SLAs")
1 sysadmin, properly trained (and probably costing a hell of a lot less than the outsourcers charge) could have prevented this from happening.
I thought one of the principles of the DPA was to prevent organisations from hoarding data for its own sake. Most of the companies where I've worked had to implement fairly complicated methods for eliminating expired 3rd-party data by one-way scrambling.
Why should it be legitimate for a school to behave like a data pack-rat?
I used to get marketing emails and letters from my old school many years after I left. I kept asking them to stop and to remove my details from their database, but they didn't. Eventually I went to whine to the Information Commissioner and it turned out the school had never registered as a data processor, despite having very sensitive data (on disability, mental health, religion, family issues etc) on thousands of kids.
This post has been deleted by its author
so the DB will get bigger and bigger and backups (if they do them of course) will get slower and slower.
Might I suggest they fire the admin and hire the student part time.
I'm guess the student would not do something so dumb.
Note this should be widely publicised so parents know how much care will be taken of their personal details.
When I was at school, 20 years ago, me and some friends ran the school computer room. The thick old bat laughingly referred to as a "teacher" couldn't find her aging saggy arse with both hands and a readme file, never mind run the system herself.
There was also the time at uni when I discovered that the walkup computers all had their own accounts, with masses of disk space allocated, and with no passwords. And to save time, the IT staff had pre-prepared a whole bunch of accounts, many of which weren't used. So if you could find an account that didn't have a computer hooked up to it, you had yourself a ton of extra disk space that could be used for useful stuff. Nice.
Basically, the problem is putting gear with security holes in an environment full of intelligent people with a ton of time on their hands. It's gonna go wrong.
When I was a lad, the password list was a file that anyone could copy when logged in as administrator. Fortunately they hadn't gotten as far as to put everyone's personal details onto this, so if you wanted home addresses for classmates you had to take the register back the long route and stop to read the appendices.
... is did the teachers lose any time on Facebook?
I recently saw the performance of a group of junior high kids who'd taken an improv comedy class. One of the bits had them in a bad classroom, and the teacher was too busy on facebook to notice cheating on the test, two kids kissing in the corner, a fire, and an armed gunman being defeated by Legos.
Somehow, I don't think "the clueless teacher on Facebook" character came from the void ... particularly given how the students in the audience were laughing.