The INQ is not wet on the page
|
|
|
School breaches Data Protection Act
A SCHOOL was found to have breached the Data Protection Act after a 15 year old pupil hacked into its website and exposed the personal details of 20,000 people, including medical information on more than 7,000 pupils.
The 15-year-old from Hampshire broke into Bay House School, Gosport's, private database in March after he obtained the password from a member of staff.
The student then revealed the names, addresses, photographs and medical information of 7,600 past and present pupils, plus confidential details on about 13,000 adults. The cheeky youngster has since been suspended.
The school was ruled to have breached the Data Protection Act after an investigation by the Information Commissioner's office (ICO) found it used the same password for both its website and its data management systems
Although the school had advised its staff to avoid duplicate passwords, it did not enforce the policy. Luckily for the school, no further action has been taken after its head teacher, Ian Potter, signed an undertaking to ensure reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's systems.
The ICO said there was "no evidence" the student had done any more than expose the details to his friends.
A statement from Bay House school said, "We are pleased to learn from the ICO that it is taking no further steps, because we have fully co-operated with the commissioner's office. We take very seriously the security of our data system. In this case we were able to act very quickly to identify the hacker and take appropriate action." µ
Tags: Security
Share this:
Share
I find it hilarious that this guy is called a hacker.He got the password from a teacher so the guy didn't hack anything.If anything the teacher should be reprimanded for giving the guy the password.The security breach came from the teacher giving up the password
Medical information does not belong into the database of a school. It only belongs into the hands of the patients and their physicians. Schools are unfortunately not the only places which collect this information. Damn fucking data collection assholes.
I have applied for IT jobs at many school districts here in the USA. After completing an online application, many of them proceeded to email me my password in plain text. Brilliant, guys. It would not be that big of a deal, if they didn't ask for sensitive information such as your SSN (of course I put in a fake SSN, but many people don't).
"We take very seriously the security of our data system. In this case we were able to act very quickly to identify the hacker and take appropriate action."
No you didn't. You reused passwords on critical bits. Also, he didn't hack the system but rather obtained the password and just logged in.