A bug in an information management system used by 21,000 UK schools almost resulted in a major data security incident after it was discovered that the software incorrectly matched contact details of students with their names.
Thanks to the bug, a student or the student’s parents could view e-mail addresses, phone numbers, and physical addresses of other students once they were contacted by their schools using any of these methods of communication.
“The consequence of the corruption is that contact information for the incoming pupil for example, address, telephone number and email address, may have become associated with other pupil’s records, or the new pupil could themselves be linked to the wrong contact details. The problem could have impacted pre-admissions, pupils on roll and the records of school leavers,” said Capita, the developer of the information management system in an e-mail to schools.
The firm added that it has developed an upgraded version of the information management system which will take care of the bug and that the breach would not happen again. However, it did not confirm exactly how many students were affected because of the bug.
“We have identified isolated instances where the contact details of new applicants to a school have merged with those of existing pupils. This has only happened on rare occasions where the first name and surname of the pupils’ listed contact are an exact match,” said a spokesperson for Capita to The Register.
“We have taken immediate steps to fix the software to prevent this from happening again and have also issued guidance to schools on how to identify and rectify any issues. We apologise to schools and parents for any disruption this may cause.”
UK schools under persistent attack
This isn’t the first time that privacy of students and staff at UK schools have been put at risk due to software bugs or lack of security measures. In February this year, poor security around CCTV cameras came back to bite four schools in the UK after cyber criminals hacked into their CCTV systems and broadcast feeds on a US website for all to see.
Feeds from the affected schools, which included St Mary’s Catholic Academy and Highfield Leadership Academy in Blackpool, contained live footage of playgrounds, corridors, restrooms, and other areas both inside and outside the school buildings.
Criminals behind the operation also managed to hack into CCTV systems at ‘hundreds of public spaces, businesses and private homes’ as such systems were not protected by passwords, the Daily Mail noted.
Last year, Action Fraud noted that cyber-criminals, posing as officials from the Department of Education, sent malicious e-mails to headteachers and financial administrators at several UK schools, asking the latter to share staff members’ personal email addresses and phone numbers.
The emails sent to headteachers and financial administrators contained .zip attachments that, once opened, encrypted users’ files and demanded up to £8,000 to restore access. Action Fraud noted that many similar scams involved cyber criminals posing as the Department for Work and Pensions and telecoms providers to gain access.