The names, addresses, phone, national insurance and passport numbers of school staff members may have been “compromised” in a cyber attack on the IT provider of a firm that maintains background check records for schools.
Single Central Record, also known as Online SCR, has written to its customers to inform them it has been notified by its software supplier Intradev Limited of a data breach.
Schools are required by law to keep a single central record of data gathered in checks made on staff before their appointment to jobs. These can be maintained by external providers, like SCR.
Director Mark Gardner confirmed to Schools Week the organisation was “notified by a third-party contractor on Sunday August 17 that they had been subject to a cyber attack.
“It is suspected by them that some of our data may have been compromised during that cyber attack.”
It is not known how many schools and trusts are affected, but SCR has many clients including several large academy trusts, which have thousands of staff between them.
Company holds teachers’ personal data
Schools Week understands data held by SCR that may have been compromised includes the names, dates of birth, email and home addresses, phone numbers, as well as national insurance, driving licence and passport numbers of school staff.
However, Gardner said the “extent and nature of the data which has been compromised is still under investigation and we are doing everything we can to liaise with the third party to understand how and why our data has been compromised.
“Given that investigations are still ongoing, we cannot confirm the extent of the data which has been compromised or provide any specific details at this stage. To do so would be speculation and premature.”
Law firm Browne Jacobson has also issued an update to its clients.
It said: “Personal data relating to staff at several of our client schools and trusts has been compromised as a result of this breach, and we are supporting those schools and trusts with their reporting duties, managing communications with affected staff, and engaging with Online SCR.
“Many schools are still closed for the school holidays, and so the communication from Online SCR may not yet have been picked up.
“Additionally, many school data protection officers may also be on leave. However, important urgent action should be taken this week if you are affected.”
Breach reported to the ICO
Gardner said his company had been “proactive in communicating with our customers about this incident” and had reported it to the Information Commissioner’s Office “as a pragmatic approach and provided schools with comprehensive support materials”.
“This goes far above our obligations as a data processor and we are happy to go the extra mile for our customers during this difficult period.
“We remain in contact with the ICO and are utilising them as a resource to deal with the above along with dedicated regulatory and commercial lawyers.”
He added that SCR’s systems “remain incredibly secure.
“We have revoked any access points we have with the third party and, as such, schools can continue using our services with complete confidence.”
And “whilst we are incredibly confident in our own internal security, please rest assured that full due diligence is taking place with all our third party contractors and increased efforts to our policies will be further strengthened if necessary.
“As you can appreciate, we are conducting a thorough investigation which, given the recent notification, is still in its infancy.
“We will provide information directly to those affected as our investigation progresses. In the meantime, we request patience from our client in order for us to get to the bottom of the issue and report back as swiftly as possible.”
‘Unauthorised activity’
Steve Cheetham, Intradev’s managing director, confirmed that on August 4, the company “identified unauthorised activity within our systems. Immediate containment measures were implemented, and a detailed investigation is now underway to understand the nature and scope of the incident.
“At this stage, the exact method of entry remains under investigation. The incident involved malicious unauthorised access, and we are treating it as a significant IT security event.”
Intradev is now reviewing “affected files and systems to determine what data may have been compromised.
“We are aware that certain files were accessed, and we are working to identify the types of data involved and the individuals potentially affected.
“This includes assessing the impact on our customers and their stakeholders, though we are not yet able to confirm the full list of affected parties or the date range of the data involved.”
Intradev has also reported the incident to the “relevant authorities, including the Information Commissioner’s Office and Action Fraud, and continue to liaise with them as appropriate.
“We remain committed to fulfilling our legal and regulatory obligations and are handling this matter with diligence and care. We will continue to provide updates to our customers, where necessary, as our investigation progresses.”
Browne Jacobson told schools that use SCR to look out for emails from the firm, which “should inform you whether your staff data is affected, and if so, to what extent”.
Your thoughts