Cyber attacks, hacks and legal threats: Academy data breaches revealed

An academy trust was left facing legal action after sending student assessment reports to the wrong parents.

The incident at Aspire Schools in Buckinghamshire last year is one of dozens of examples of data breaches uncovered by a Schools Week investigation.

Documents released under the Freedom of Information Act show how academies were subjected to cyber attacks, hacked by their own students and even left copies of personal data at top London tourist attractions.

Aspire Schools in Buckinghamshire reported that in July 2019, two student assessment reports were “accidentally posted to the wrong parents” because reports were placed in the wrong envelopes.

Although the matter was “dealt with at the time”, the trust “subsequently received a legal request for compensation by the mother of one of the students”. The trust did not respond to a request for comment.

The incident was one of 177 reported across 135 academy trusts to the ESFA in 2018-19.

In February of last year, a register for pupils at Raynsford Church of England Academy was mislaid at the O2 in London during the Young Voices singing event.

Luckily, the register was found and stored in a safe by O2 staff and then returned to the school by secure post.

Julie Ashwell, the school’s head teacher, told Schools Week it had switched to digital registers as a result, as well as reviewing its policy and practice for educational visits.

In another instance, a teacher information pack from the Pioneer Academy containing names of pupils, medical conditions and contact details for all adults on the trip was “inadvertently” left at the London Transport Museum.

Another example where a data breach has led to a big change in trust policies was the Estuaries Multi-Academy Trust, which banned staff at one of its schools from taking home physical documents after an encrypted laptop and papers were stolen from a staffmember’s car.

Several of the data breaches reported to the ESFA involved sensitive data being shown to pupils by mistake, including on whiteboards or projector screens. Others related to information about job applicants being disclosed.

In one instance, Mayflower High School was found to be in breach of GDPR legislation after it confirmed to another school that one of its employees was attending a job interview.

In December 2018, the Chelsea Academy reported that permanent exclusion packs for two pupils were sent to the wrong parents.

Principal Mariella Ardron said sensitive letters were now double enveloped, with an inner envelope bearing the name of the student and urging the recipient not to open it if they are not the parent or carer.

And St Christopher’s C of E Primary Multi Academy Trust reported itself to the ICO after a document containing sensitive personal data of a pupil was circulated “in error” to all persons involved in a complaint.

Jo Wilkey, the trust’s data protection officer, said they had since “looked at the way this particular process operates” and changed elements to “avoid future issues”.

Some trusts, however, were victims of cyber attacks. The 5 Dimensions Trust reported that a student obtained the log-in details of a teacher’s Go4Schools account and “published them on social media”, leading to the details of some students at the school being changed.