The UK Information Commissioner’s Office (ICO) has reprimanded a Coventry school for data breaches after its IT system was hacked several times.
Finham Park Multi Academy Trust received a slap on the wrist for failing to ensure the confidentiality and integrity of systems and services, or to implement the right technical and organizational measures to ensure appropriate security.
The data watchdog said an unauthorized third-party used compromised credentials to access and encrypt Finham Park’s system, which resulted in the exposure of data belonging to more than 1,800 people.
The failure marked a repeat office, the ICO added.
"Finham Park reported three similar incidents to the Commissioner and each time the Commissioner provided guidance to Finham Park, which set out the importance of implementing appropriate password policies and account management procedures," the ICO said in a statement.
READ MORE
"Finham Park failed to follow this guidance and failed to implement appropriate technical and organizational measures to secure its systems."
In particular, the school had an inadequate account lockout policy, with reversible password encryption enabled, and didn't have multi-factor authentication (MFA) in place. The academy also failed to make sure employees had sufficient knowledge and understanding around the re-use of passwords.
"The NCSC emphasizes that passwords should not be re-used across accounts," the watchdog said. "Had Finham Park educated its employees on password management more effectively, it is possible that this incident could have been avoided."
It appears that the school has finally got the message.
"The Commissioner has also considered and welcomes the remedial steps taken by Finham Park in light of this incident," the ICO added in its statement.
"In particular, Finham Park restored its systems from backups, implemented MFA across the trust, and signed off a digital transformation project plan, which included credential monitoring."
The reprimand reinforces the need for educational institutions to have robust IT security policies and procedures in place, given the sensitivity and large amount of data they hold, according to solicitor Laura Rae of Forbes Solicitors.
"By having clear password policies and lockout procedures, schools should significantly reduce the likelihood of cyber-security incidents occurring, but then also have a clear process for managing and mitigating the effects of these incidents when they occur," she said.
"Alongside this, staff should be made aware of the importance of password security and regularly updating passwords, as part of regular data protection training."
While reprimands don't carry any financial penalty, they work to 'name and shame' organizations, bringing reputational damage and possibly forming evidence in claims for compensation for a data breach.
The ICO issues reprimands in cases where it has found a breach of the UK GDPR, but believes that the breach isn't serious enough to attract a fine. These are often given to public sector organizations, rather than issuing a fine which would then have to be paid for out of public funds.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
-
ICO fines topped $14 million in 2023 amid crackdown by regulator on data protection standardsNews ICO fines across 2023 exceeded £14 million, with TikTok among the worst-hit for data protection violations
