The names, addresses, phone, national insurance and passport numbers of school staff members may have been “compromised” in a cyber attack on the IT provider of a firm that maintains background check records for schools.
Single Central Record, also known as Online SCR, has written to its customers to inform them it has been notified by its software supplier Intradev Limited of a data breach.
Schools are required by law to keep a single central record of data gathered in checks made on staff before their appointment to jobs. These can be maintained by external providers, like SCR.
Director Mark Gardner confirmed to Schools Week the organisation was “notified by a third-party contractor on Sunday August 17 that they had been subject to a cyber attack.
“It is suspected by them that some of our data may have been compromised during that cyber attack.”
It is not known how many schools and trusts are affected, but SCR has many clients including several large academy trusts, which have thousands of staff between them.
Company holds teachers’ personal data
Schools Week understands data held by SCR that may have been compromised includes the names, dates of birth, email and home addresses, phone numbers, as well as national insurance, driving licence and passport numbers of school staff.
However, Gardner said the “extent and nature of the data which has been compromised is still under investigation and we are doing everything we can to liaise with the third party to understand how and why our data has been compromised.
“Given that investigations are still ongoing, we cannot confirm the extent of the data which has been compromised or provide any specific details at this stage. To do so would be speculation and premature.”
It is understood one of the lines of enquiry is into why data held by SCR could be accessed via its software supplier.
Law firm Browne Jacobson has also issued an update to its clients.
It said: “Personal data relating to staff at several of our client schools and trusts has been compromised as a result of this breach, and we are supporting those schools and trusts with their reporting duties, managing communications with affected staff, and engaging with Online SCR.
“Many schools are still closed for the school holidays, and so the communication from Online SCR may not yet have been picked up.
“Additionally, many school data protection officers may also be on leave. However, important urgent action should be taken this week if you are affected.”
Breach reported to the ICO
Gardner said his company had been “proactive in communicating with our customers about this incident” and had reported it to the Information Commissioner’s Office “as a pragmatic approach and provided schools with comprehensive support materials”.
“This goes far above our obligations as a data processor and we are happy to go the extra mile for our customers during this difficult period.
“We remain in contact with the ICO and are utilising them as a resource to deal with the above along with dedicated regulatory and commercial lawyers.”
He added that SCR’s systems “remain incredibly secure.
“We have revoked any access points we have with the third party and, as such, schools can continue using our services with complete confidence.”
And “whilst we are incredibly confident in our own internal security, please rest assured that full due diligence is taking place with all our third party contractors and increased efforts to our policies will be further strengthened if necessary.
“As you can appreciate, we are conducting a thorough investigation which, given the recent notification, is still in its infancy.
“We will provide information directly to those affected as our investigation progresses. In the meantime, we request patience from our client in order for us to get to the bottom of the issue and report back as swiftly as possible.”
‘Unauthorised activity’
Steve Cheetham, Intradev’s managing director, confirmed that on August 4, the company “identified unauthorised activity within our systems. Immediate containment measures were implemented, and a detailed investigation is now underway to understand the nature and scope of the incident.
“At this stage, the exact method of entry remains under investigation. The incident involved malicious unauthorised access, and we are treating it as a significant IT security event.”
Intradev is now reviewing “affected files and systems to determine what data may have been compromised.
“We are aware that certain files were accessed, and we are working to identify the types of data involved and the individuals potentially affected.
“This includes assessing the impact on our customers and their stakeholders, though we are not yet able to confirm the full list of affected parties or the date range of the data involved.”
Intradev has also reported the incident to the “relevant authorities, including the Information Commissioner’s Office and Action Fraud, and continue to liaise with them as appropriate.
“We remain committed to fulfilling our legal and regulatory obligations and are handling this matter with diligence and care. We will continue to provide updates to our customers, where necessary, as our investigation progresses.”
Browne Jacobson told schools that use SCR to look out for emails from the firm, which “should inform you whether your staff data is affected, and if so, to what extent”.
They have accessed all my personal data including my passport, date of birth, driving licence, phone number, birth place, home address and name. I am very unhappy
Mine too – and my school only told me today!!! I am not even an employee – just a parent who has helped on school trips and helps the PTA. This breach is far wider than school employees, which doesn’t seem to have been picked up by the press.
We’ve only just found out today (1st October). Almost 2 months from the incident.
It is difficult to overstate the difficulty and worry this will have caused affected individuals. DBS checking data is a Godsend to the malevolently motivated due to the smorgasbord of data it requires. Online SCR’s data breach has resulted in thousands of staff losing the most sensitive personal information they possess and includes, passport number, town of birth, previous names, driving licence number, NI number, DoB, address, email and phone numbers. I am surprised there is not more ‘noise’ about this breach as it so widespread and has such sensitive personal data compromised. I would urge all in the sector to consider their online DBS check provider very carefully and seek additional guarantees as to the length of time data is held and which 3rd parties have access. Too late for many.
And these crackers want the rest of the country to trust them with our gov I’d and personal picture..
“Why data held by SCR could be accessed via its software supplier”
So this would constitute the mishandling of our data by SCR by allowing an unauthorized third party access to our data, so we can press for compensation for the unnecessary distress this is now going to cause us.
SCR’s Mark Gardner has clearly been trained in the Titanic Department of the Gerard Ratner School of Crisis Communications:
“Far above our obligations as a data processor… happy to go the extra mile for our customers during this difficult period… [SCR’s systems] remain incredibly secure…. Schools can continue using our services with complete confidence… We are incredibly confident in our own internal security.”