What are Paul Moore's security qualifications?
"There is no mechanism for verifying the person providing feedback is a parent, no token or means of identifying the person, any email address can be used to sign up and the process could easily be automated,"
"Ofsted claimed to have received 1 recording for this school but 55 (or so) parents have stated their children left recordings,"
Experienced security consultant Paul Moore downplayed Oli's concerns. "There's nothing really substantial here," Moore told El Reg. "There's no proof that any data has been lost, so far as I can see ... and although the report process could be refined, it's not exactly a security concern." "
Nice to see such complacency in a security consultant, I suppose he is okay with users using very simple passwords (Eg. 'Password1') until such time as there is proof of data loss directly arising from an unauthorised third-party using those credentials... I won't be giving him a call...
In my security experience, the providence and integrity of datasets that will be used to make business decisions, is a security concern; you can't expect the users who draw up survey's to understand the IT mechanisms necessary to ensure the data collected comes from the intended sources and only the intended sources.