Howard Freeman – 1st March 2019
A worrying rise in data breaches being reported across the UK education sector was revealed by a recent freedom of information request.
The EU GDPR (General Data Protection Regulation) mandates data breaches must be reported in most cases. Many incidents have been reported since the Regulation came into force. However, the numbers shared by the ICO (Information Commissioner’s Office) reveal a growing trend prior to the enforcement date in May last year.
The highest number of breaches in 2016-17
UK schools reported the highest number of breaches in 2016/-17, totalling 703. Throughout the sector this was an increase of 4% on the previous year. Over the same period, nurseries saw a 27% increase whilst universities and colleges showed the smallest increase across the sector.
Attractive fraud targets
The GDPR requires organisations to take reasonable steps to protect their data. However, with limited budgets, this can be challenging for the sector. Educational institutions typically hold large amounts of sensitive data. Therefore, schools are particularly at risk of being targeted by fraudsters. It is accepted that schools do not have the budgets enjoyed by larger businesses in order to put robust data security structures in place.
Fraudsters target private schools because they hold large amounts of financial data. This could be used to extort money from parents. One example involved hackers using a school’s IT systems to send out false invoices for school bills and fees.
Data loss and security breaches
A Data breach is a security incident in which personal, financial or other confidential data is lost through a cyber-attack or accidental leak. Recently, the ICO has levied some of its biggest fines for data breaches against organisations. The typical type of offences was whereat relating to minors was lost or stolen.
In May of 2018, the ICO fined Greenwich University £120,00. This was for a 2016 security breach in which personal data of nearly 20,000 students was placed online.
As most school data is now stored electronically, both in the cloud an on premise. Therefore, safeguards must be put in place to ensure that this sensitive data is kept secure. Reassuring parents and guardians that the information held about their children, and their own financial data, is critical.
It is now very clear that private and independent schools are very attractive to fraudsters. The school fees that the fraudsters are attempting to redirect are often of high value. Schools must have strong data security in place with clear procedures for monitoring to ensure the maintenance of a secure posture.