Strathmore Secondary College is under investigation following the accidental publication of over 300 student records. The breach was slammed by education minister James Merlino as “nothing short of appalling” as it revealed highly sensitive information such as disabilities, behavioural issues, and treatment plans of students. The breach sends a strong message to the education sector regarding the importance of training staff and having in place a strong data breach response plan.
The breach
On Tuesday 21 August 2018, Strathmore Secondary College became aware that student records relating to more than 300 students had been accidentally published on the school’s intranet from as early as Monday this week. The intranet is accessible by students and parents. The records published listed conditions such as ADHD, Asperger’s, acquired brain injuries, and Autism. It also contained information on whether students were receiving government support, were on medication, or had treatment plans.
While the information was restricted to the intranet, there are concerns that the information could fuel bullying or harassment. Additionally, the information could be further spread by word of mouth or copies being made. The education department will be launching an inquiry into the breach and visiting the school to educate staff on privacy and IT issues. The impact of the breach in terms of degree of access or number of downloads is currently unclear.
Lesson for organisations
The Strathmore data breach aligns with the OAIC’s recent finding that human error is a key contributor to data breaches. In its second quarterly report on the NDB Scheme, it found that human error accounted for 36% of data breaches. While malicious or criminal attacks accounted for 59% of notifications, many of these had a human factor such as clicking on phishing emails. This provides an important lesson to organisations to ensure that equal focus is given to training its staff as to its IT systems.
Furthermore, the Strathmore data breach demonstrates the significant impact a data breach can have on an organisation’s reputation. It is critical that organisations have in place a tailored data breach response plan (DBRP). This is especially so if the organisation is bound by the NDB Scheme or reporting requirements under state contracts. These generally require the reporting of data breaches which lead to or have the potential to lead to significant harm to affected individuals.
In the past, Moores has worked with education institutions who have suffered data breaches, including education bodies which have published sensitive student information in error on “public” websites. With the help of a clear and effective DBRP, significant harm can be mitigated and the data breach can be contained. This may mean that reporting is not required, allowing the organisation to minimise the risk of reputational harm or widespread panic.
Next Steps
The education sector is becoming increasingly susceptible to data breaches. Privacy breaches, malicious cyber threats, and IT systems failure were all part of the top 10 concerns for schools, as highlighted in the AON Independent Risk Report 2018. Education institutes are particularly vulnerable due to holding sensitive information such as the health data of children.
Organisations need to strengthen their actions regarding privacy. We highly recommend that organisations undertake a self-assessment of their current practices. Where your organisation falls short, such as failing to have a DBRP or training for staff, the current environment provides incentive to prioritise improving your practices.
How we can help
Moores has experience working with clients in the education sector to both prevent against and proactively respond to data breaches. We can provide advice to your organisation on its privacy framework.
If you would like further assistance, please do not hesitate to contact us.