The UK Information Commissioner’s Office (ICO) has reprimanded a Coventry school for data breaches after its IT system was hacked several times.
Finham Park Multi Academy Trust received a slap on the wrist for failing to ensure the confidentiality and integrity of systems and services, or to implement the right technical and organizational measures to ensure appropriate security.
The data watchdog said an unauthorized third-party used compromised credentials to access and encrypt Finham Park’s system, which resulted in the exposure of data belonging to more than 1,800 people.
The failure marked a repeat office, the ICO added.
"Finham Park reported three similar incidents to the Commissioner and each time the Commissioner provided guidance to Finham Park, which set out the importance of implementing appropriate password policies and account management procedures," the ICO said in a statement.
"Finham Park failed to follow this guidance and failed to implement appropriate technical and organizational measures to secure its systems."
In particular, the school had an inadequate account lockout policy, with reversible password encryption enabled, and didn't have multi-factor authentication (MFA) in place. The academy also failed to make sure employees had sufficient knowledge and understanding around the re-use of passwords.
"The NCSC emphasizes that passwords should not be re-used across accounts," the watchdog said. "Had Finham Park educated its employees on password management more effectively, it is possible that this incident could have been avoided."
It appears that the school has finally got the message.
"The Commissioner has also considered and welcomes the remedial steps taken by Finham Park in light of this incident," the ICO added in its statement.
"In particular, Finham Park restored its systems from backups, implemented MFA across the trust, and signed off a digital transformation project plan, which included credential monitoring."
The reprimand reinforces the need for educational institutions to have robust IT security policies and procedures in place, given the sensitivity and large amount of data they hold, according to solicitor Laura Rae of Forbes Solicitors.
"By having clear password policies and lockout procedures, schools should significantly reduce the likelihood of cyber-security incidents occurring, but then also have a clear process for managing and mitigating the effects of these incidents when they occur," she said.
"Alongside this, staff should be made aware of the importance of password security and regularly updating passwords, as part of regular data protection training."
While reprimands don't carry any financial penalty, they work to 'name and shame' organizations, bringing reputational damage and possibly forming evidence in claims for compensation for a data breach.
The ICO issues reprimands in cases where it has found a breach of the UK GDPR, but believes that the breach isn't serious enough to attract a fine. These are often given to public sector organizations, rather than issuing a fine which would then have to be paid for out of public funds.
