Cyber attacks, hacks and legal threats: Academy data breaches revealed


An academy trust was left facing legal action after sending student assessment reports to the wrong parents.

The incident at Aspire Schools in Buckinghamshire last year is one of dozens of examples of data breaches uncovered by a Schools Week investigation.

Documents released under the Freedom of Information Act show how academies were subjected to cyber attacks, hacked by their own students and even left copies of personal data at top London tourist attractions.

Aspire Schools in Buckinghamshire reported that in July 2019, two student assessment reports were “accidentally posted to the wrong parents” because reports were placed in the wrong envelopes.

Although the matter was “dealt with at the time”, the trust “subsequently received a legal request for compensation by the mother of one of the students”. The trust did not respond to a request for comment.

The incident was one of 177 reported across 135 academy trusts to the ESFA in 2018-19.

In February of last year, a register for pupils at Raynsford Church of England Academy was mislaid at the O2 in London during the Young Voices singing event.

Luckily, the register was found and stored in a safe by O2 staff and then returned to the school by secure post.

Julie Ashwell, the school’s head teacher, told Schools Week it had switched to digital registers as a result, as well as reviewing its policy and practice for educational visits.

In another instance, a teacher information pack from the Pioneer Academy containing names of pupils, medical conditions and contact details for all adults on the trip was “inadvertently” left at the London Transport Museum.

Another example where a data breach has led to a big change in trust policies was the Estuaries Multi-Academy Trust, which banned staff at one of its schools from taking home physical documents after an encrypted laptop and papers were stolen from a staffmember’s car.

Several of the data breaches reported to the ESFA involved sensitive data being shown to pupils by mistake, including on whiteboards or projector screens. Others related to information about job applicants being disclosed.

In one instance, Mayflower High School was found to be in breach of GDPR legislation after it confirmed to another school that one of its employees was attending a job interview.

In December 2018, the Chelsea Academy reported that permanent exclusion packs for two pupils were sent to the wrong parents.

Principal Mariella Ardron said sensitive letters were now double enveloped, with an inner envelope bearing the name of the student and urging the recipient not to open it if they are not the parent or carer.

And St Christopher’s C of E Primary Multi Academy Trust reported itself to the ICO after a document containing sensitive personal data of a pupil was circulated “in error” to all persons involved in a complaint.

Jo Wilkey, the trust’s data protection officer, said they had since “looked at the way this particular process operates” and changed elements to “avoid future issues”.

Some trusts, however, were victims of cyber attacks. The 5 Dimensions Trust reported that a student obtained the log-in details of a teacher’s Go4Schools account and “published them on social media”, leading to the details of some students at the school being changed.

Your thoughts

Leave a Reply

Your email address will not be published. Required fields are marked *


  1. Steven Kennedy

    What a poor story. You talk about academy trusts but in this instance what you mean is schools. A school sends a wrong report home? Wow. Let’s sack the exams officer? Don’t let your political vehemence against Trusts turn you into the Daily Express of educational media. This is a non-story which will only hurt the lowest paid administrators in schools, it is has nothing to do with the Academy or Trust system. Good timing- kick schools when they are at their most strained position in a generation. Shame on you.

    Oh and your freedom of information request would have stretched school resources right at the height of lockdown whilst they were trying to safeguard the vulnerable and teach online. Hours of their work having to be sidelined for this pathetic piece.

    • John Dickens

      Note from the editor: Thanks for your comment Steven. The FOI was to the Department for Education which already had the information as schools had submitted it as part of annual accounts.

      • Mark Watson

        I’ve asked Schools Week dozens of questions to follow up points in their articles and never once had a response.

        At least now I know I just need to refer to them as “the Daily Express of educational media” and they’ll be unable to resist answering …

        • John Dickens

          Note from the editor: Hi Mark. I commented solely to correct the falsehood that our FOI would have impacted school resources. (I didn’t want to not approve the comment because of that, so approved it but added my note). Please be assured I always read your feedback, but feel free to email me if you want to discuss our stories further. Regards, John

  2. Mark Watson

    I’d really like to be able to put this into context. 177 incidents reported from 135 academy trusts. How does this compare with incidents of data breaches in non-academy schools? Last I checked, local authorities were subject to the Freedom of Information Act, and I presume if Schools Week was genuinely interested in the issue of data protection they asked the same questions of local authorities, or even the Information Commissioner, so are academies more or less prone to data breaches?