Pupil data ‘not compromised’ by software flaw

Pupil data ‘not compromised’ by software flaw

Schools have been reassured their pupils’ personal data was not compromised after a “serious security flaw” was found in internet safety software used by more than a quarter of schools.

A security researcher discovered the flaw in the Impero Education Pro program, which the software company says is used in 27 per cent of secondary schools to monitor pupils’ website use.

The Guardian newspaper reported on Tuesday that hackers could infiltrate computers running the system to gain the personal data of pupils using the program.

The flaw, discovered days after Impero launched an anti-terrorism add-on, reportedly relates to weaknesses in the company’s encryption protocols allowing almost anyone to gain full access to computers running the software.

The researcher published the flaw on a code-sharing website last month. Impero has since sent schools a short-term patch to fix the issue.

The company said the system could only be exploited if the hacker was physically in the school and if there was no basic network security.

A statement read: “No customers have been affected by this and no data has been leaked or compromised.

“We immediately released a hot fix as a short-term measure to address the issue and since then we have been working closely with our customers and penetration testers to develop a solid long-term solution.

“All schools will have the new version, including the long-term fix, installed in time for the new school term.”

Impero is now pursuing legal action for breach of copyright against the security researcher for making the information public, rather than “bringing it to our attention privately and in confidence”.

“Impero Education Pro is designed to protect and safeguard children in schools and any attempt to jeopardise this by illegally obtaining and publicising sensitive information will be dealt with,” it said.

Schools Week reported last month that Impero had started a trial for its add-on that will let teachers know when a pupil browses extremist websites or searches for terrorism-related terms.

When a pupil uses any of these terms it triggers a screenshot that allows teachers to put the incident into context.

The project is currently being trialled in 16 schools and could be available to all schools from the start of the autumn term.

The Department for Education said: “We have been clear that schools are expected to ensure that sensitive pupil information is held securely. The Data Protection Act of 1998 is clear what standards schools are expected to adhere to and we provide guidance on this.”