The Department for Education has apologised after a group of academy finance staff’s details were compromised in a data breach.
More than 850 staff working in trust finance had signed up a virtual event next week, where the DfE will advise attendees on funding levels, the pupil premium, the national funding formula and other topics. Education and Skills Funding Agency interim CEO John Edwards is due to speak at the event.
But attendees received an email on Thursday revealing officials had discovered the calendar invitation “enables people to see the email address of other participants”.
The invite was “immediately cancelled” and officials asked guests to remove the meeting from calendars.
The email also revealed “one incident” saw an attendee add the invite into their calendar, only to trigger a new meeting invitation to everyone else.
“At this stage, we do not know what has allowed this to happen, but we have logged this formally as a ‘data breach’ and would like to sincerely apologise to everyone for the confusion and inconvenience this has caused,” the DfE told attendees.
Organisers confirmed the event would still go ahead as planned. Officials said they had taken immediate action, sent out no further calendar invites and the DfE’s data protection office would review the case and decide whether to refer it to the Information Commissioner’s Office.
Duty to report some data breaches
A spokesperson for the ICO said on Friday morning it had not received a breach report from the DfE, though added that not all breaches had to be reported.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
Pete Woodward, co-founder of Securious, a cyber-security specialist which works with schools, noted “accidents happen”, but said it could suggest a need for better staff understanding and training in the tech they use.
“If users have seen each others’ emails – hopefully that’s not going to result in someone dying, but it is an incident that could cause concern. The bottom line is to learn from it.”
‘Increased risk’ since remote learning shift
Woodward said it was “obvious” such incidents would happen more widely in the sector given the surge in remote learning and tech use during Covid.
The shift meant lots of staff previously unfamiliar with certain software had faced a “steep learning curve”.
“Schools have a lot of children’s sensitive information – so understanding how you share and secure that is key.”
A government survey published earlier this year found 36 per cent of primary schools and 58 per cent of secondaries had identified breaches or attacks in the past year.
The DfE’s 2019-20 annual report said progress had been made on cyber-security, with an “ongoing co-ordinated programme of work to strengthen controls”.
It recorded three “protected personal data-related incidents” at the department in the year which it reported to the ICO, up from two in the two previous years.
The Department for Education has been approached for comment.