School breaches Data Protection Act after details put at risk in hacking

A Hampshire comprehensive school breached the Data Protection Act after the personal details of nearly 20,000 people, including some 7,600 pupils, were put at risk during a hacking attack on its website.

Bay House School, in Gosport, suffered the hacking in March, which exposed pupils’ names, addresses, photographs and some sensitive medical information. Personal information on teachers was also compromised.

The school was quickly able to improve its security and reported the breach to the Information Commissioner’s Office on 17 March.

An ICO investigation found the security of the school website had been compromised by a member of staff, who had used the same password to access both the website and data management systems.

This password was discovered during the original hacking attack, and then used by a pupil to access other parts of the system.

Sally Anne Poole, ICO acting head of enforcement said: “While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure.

“This is particularly important when the systems allow access to sensitive information relating to young adults.”

The ICO concluded that the data disclosure did not appear to have caused substantial damage or distress.

Head teacher Ian Potter has signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school’s management system.

Mark Smulian