A STUDENT at one of Hampshire’s top schools has been excluded after hacking into its website and putting the personal details of nearly 20,000 individuals – including some 7,600 past and present pupils – at risk.
The year ten boy at Bay House School in Gosport, rated ‘outstanding’ by Ofsted, managed to obtain the password from a member of staff who has also faced disciplinary action.
Bay House, which identified the incident ‘immediately’ and reported it to the Information Commissioner’s Office (ICO) on March 17, has subsequently been found in breach of the Data Protection Act.
The hacking incident exposed pupils’ names, addresses, photographs and some sensitive information relating to their medical history.
Personal details about pupils’ parents and teachers were also compromised during the breach.
The ICO’s investigation uncovered that the security of the school website had been compromised by a member of staff who had used the same password to access both the school’s website and data management systems.
This password was subsequently used by the student to access other parts of the system.
The school had advised staff to avoid the use of duplicate passwords – however, no checks were in place to make sure this policy was being followed.
Sally Anne Poole, the ICO’s acting head of enforcement, said: ‘While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure.
‘This is particularly important when the systems allow access to sensitive information relating to young adults.
‘We are pleased Bay House School has agreed to take action to improve the security of the personal information they hold.’
Head Ian Potter has signed an undertaking to ensure all sensitive and confidential information on the school’s management system is encrypted and separated.
The school will make sure that all of their staff understands the school’s guidance on the use of passwords, and its website will be regularly tested for security.
Bay House released a statement that read: ‘We are pleased to learn from the ICO that it’s taking no further steps, because we have fully co-operated with the commissioner’s office.
‘We take very seriously the security of our data system.
‘In this case we were able to act very quickly to identify the hacker and take appropriate action.’
A senior school member of staff confirmed the student had been given a temporary exclusion and that the staff member involved was disciplined.