Cyber security

School staff personal data potentially ‘compromised’ in Intradev cyber attack

Data breach reported by IT firm Intradev may have affected data held by School Central Record, which includes addresses and passport numbers

Data breach reported by IT firm Intradev may have affected data held by School Central Record, which includes addresses and passport numbers

Exclusive

The names, addresses, phone, national insurance and passport numbers of school staff members may have been “compromised” in a cyber attack on the IT provider of a firm that maintains background check records for schools.

Single Central Record, also known as Online SCR, has written to its customers to inform them it has been notified by its software supplier Intradev Limited of a data breach.

Schools are required by law to keep a single central record of data gathered in checks made on staff before their appointment to jobs. These can be maintained by external providers, like SCR.

Director Mark Gardner confirmed to Schools Week the organisation was “notified by a third-party contractor on Sunday August 17 that they had been subject to a cyber attack.

“It is suspected by them that some of our data may have been compromised during that cyber attack.”

It is not known how many schools and trusts are affected, but SCR has many clients including several large academy trusts, which have thousands of staff between them.

Company holds teachers’ personal data

Schools Week understands data held by SCR that may have been compromised includes the names, dates of birth, email and home addresses, phone numbers, as well as national insurance, driving licence and passport numbers of school staff.

However, Gardner said the “extent and nature of the data which has been compromised is still under investigation and we are doing everything we can to liaise with the third party to understand how and why our data has been compromised.

“Given that investigations are still ongoing, we cannot confirm the extent of the data which has been compromised or provide any specific details at this stage. To do so would be speculation and premature.”

It is understood one of the lines of enquiry is into why data held by SCR could be accessed via its software supplier.

Law firm Browne Jacobson has also issued an update to its clients.

It said: “Personal data relating to staff at several of our client schools and trusts has been compromised as a result of this breach, and we are supporting those schools and trusts with their reporting duties, managing communications with affected staff, and engaging with Online SCR.

“Many schools are still closed for the school holidays, and so the communication from Online SCR may not yet have been picked up.

“Additionally, many school data protection officers may also be on leave. However, important urgent action should be taken this week if you are affected.”

Breach reported to the ICO

Gardner said his company had been “proactive in communicating with our customers about this incident” and had reported it to the Information Commissioner’s Office “as a pragmatic approach and provided schools with comprehensive support materials”.

“This goes far above our obligations as a data processor and we are happy to go the extra mile for our customers during this difficult period.

“We remain in contact with the ICO and are utilising them as a resource to deal with the above along with dedicated regulatory and commercial lawyers.”

He added that SCR’s systems “remain incredibly secure.

“We have revoked any access points we have with the third party and, as such, schools can continue using our services with complete confidence.”

And “whilst we are incredibly confident in our own internal security, please rest assured that full due diligence is taking place with all our third party contractors and increased efforts to our policies will be further strengthened if necessary.

“As you can appreciate, we are conducting a thorough investigation which, given the recent notification, is still in its infancy.

“We will provide information directly to those affected as our investigation progresses. In the meantime, we request patience from our client in order for us to get to the bottom of the issue and report back as swiftly as possible.”

‘Unauthorised activity’

Steve Cheetham, Intradev’s managing director, confirmed that on August 4, the company “identified unauthorised activity within our systems. Immediate containment measures were implemented, and a detailed investigation is now underway to understand the nature and scope of the incident.

“At this stage, the exact method of entry remains under investigation. The incident involved malicious unauthorised access, and we are treating it as a significant IT security event.”

Intradev is now reviewing “affected files and systems to determine what data may have been compromised.

“We are aware that certain files were accessed, and we are working to identify the types of data involved and the individuals potentially affected.

“This includes assessing the impact on our customers and their stakeholders, though we are not yet able to confirm the full list of affected parties or the date range of the data involved.”

Intradev has also reported the incident to the “relevant authorities, including the Information Commissioner’s Office and Action Fraud, and continue to liaise with them as appropriate.

“We remain committed to fulfilling our legal and regulatory obligations and are handling this matter with diligence and care. We will continue to provide updates to our customers, where necessary, as our investigation progresses.”

Browne Jacobson told schools that use SCR to look out for emails from the firm, which “should inform you whether your staff data is affected, and if so, to what extent”.

Latest education roles from

Chief Education Officer (Deputy CEO)

Chief Education Officer (Deputy CEO)

Romero Catholic Academy Trust

Director of Academy Finance and Operations

Director of Academy Finance and Operations

Ormiston Academies Trust

Principal & Chief Executive

Principal & Chief Executive

Truro & Penwith College

Group Director of Marketing, Communications & External Engagement

Group Director of Marketing, Communications & External Engagement

London & South East Education Group

Sponsored posts

Sponsored post

AI Safety: From DfE Guidance to Classroom Confidence

Darren Coxon, edtech consultant and AI education specialist, working with The National College, explores the DfE’s expectations for AI...

SWAdvertorial
Sponsored post

How accurate spend information is helping schools identify savings

One the biggest issues schools face when it comes to saving money on everyday purchases is a lack of...

SWAdvertorial
Sponsored post

Building Character, Increasing Engagement and Growing Leaders: A Whole School Approach

Research increasingly shows that character education is just as important as academic achievement in shaping pupils’ long-term success. Studies...

SWAdvertorial
Sponsored post

Educators launch national AI framework to guide schools and colleges

More than 250 schools and colleges across the UK have already enrolled in AiEd Certified, a new certification framework...

SWAdvertorial

More from this theme

Cyber security

Trust loses almost £400,000 in cyber scam

Police launched an investigation after Wembley Multi-Academy Trust made four payments to fraudsters

Jack Dyson

Your thoughts

Leave a Reply

Your email address will not be published. Required fields are marked *

7 Comments

  1. Sue smith

    They have accessed all my personal data including my passport, date of birth, driving licence, phone number, birth place, home address and name. I am very unhappy

  2. It is difficult to overstate the difficulty and worry this will have caused affected individuals. DBS checking data is a Godsend to the malevolently motivated due to the smorgasbord of data it requires. Online SCR’s data breach has resulted in thousands of staff losing the most sensitive personal information they possess and includes, passport number, town of birth, previous names, driving licence number, NI number, DoB, address, email and phone numbers. I am surprised there is not more ‘noise’ about this breach as it so widespread and has such sensitive personal data compromised. I would urge all in the sector to consider their online DBS check provider very carefully and seek additional guarantees as to the length of time data is held and which 3rd parties have access. Too late for many.

  3. “Why data held by SCR could be accessed via its software supplier”

    So this would constitute the mishandling of our data by SCR by allowing an unauthorized third party access to our data, so we can press for compensation for the unnecessary distress this is now going to cause us.

  4. SCR’s Mark Gardner has clearly been trained in the Titanic Department of the Gerard Ratner School of Crisis Communications:

    “Far above our obligations as a data processor… happy to go the extra mile for our customers during this difficult period… [SCR’s systems] remain incredibly secure…. Schools can continue using our services with complete confidence… We are incredibly confident in our own internal security.”