The Inquirer-Home

School breaches Data Protection Act

15 year old pupil hacks website
Tue Aug 09 2011, 17:47

A SCHOOL was found to have breached the Data Protection Act after a 15 year old pupil hacked into its website and exposed the personal details of 20,000 people, including medical information on more than 7,000 pupils.

The 15-year-old from Hampshire broke into Bay House School, Gosport's, private database in March after he obtained the password from a member of staff.

The student then revealed the names, addresses, photographs and medical information of 7,600 past and present pupils, plus confidential details on about 13,000 adults. The cheeky youngster has since been suspended.

The school was ruled to have breached the Data Protection Act after an investigation by the Information Commissioner's office (ICO) found it used the same password for both its website and its data management systems

Although the school had advised its staff to avoid duplicate passwords, it did not enforce the policy. Luckily for the school, no further action has been taken after its head teacher, Ian Potter, signed an undertaking to ensure reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's systems.

The ICO said there was "no evidence" the student had done any more than expose the details to his friends.

A statement from Bay House school said, "We are pleased to learn from the ICO that it is taking no further steps, because we have fully co-operated with the commissioner's office. We take very seriously the security of our data system. In this case we were able to act very quickly to identify the hacker and take appropriate action." µ

Share this:

Comments
Labeled as a hacker?

I find it hilarious that this guy is called a hacker.He got the password from a teacher so the guy didn't hack anything.If anything the teacher should be reprimanded for giving the guy the password.The security breach came from the teacher giving up the password

posted by : John, 10 August 2011 Complain about this comment
Medical Information in Databases

Medical information does not belong into the database of a school. It only belongs into the hands of the patients and their physicians. Schools are unfortunately not the only places which collect this information. Damn fucking data collection assholes.

posted by : Sanitor, 10 August 2011 Complain about this comment
Doesn't surprise me.

I have applied for IT jobs at many school districts here in the USA. After completing an online application, many of them proceeded to email me my password in plain text. Brilliant, guys. It would not be that big of a deal, if they didn't ask for sensitive information such as your SSN (of course I put in a fake SSN, but many people don't).

posted by : King Calamari, 09 August 2011 Complain about this comment
Ugh

"We take very seriously the security of our data system. In this case we were able to act very quickly to identify the hacker and take appropriate action."

No you didn't. You reused passwords on critical bits. Also, he didn't hack the system but rather obtained the password and just logged in.

posted by : Ugh, 09 August 2011 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Advertisement
INQ Poll

Facebook starts selling shares

Will you buy Facebook shares?