Schools are facing compensation claims from distressed staff who have been told they face increased risk of identity theft after their personal details were “compromised” in a cyber-attack over the summer.
Investigations have been launched into whether criminals have seized the names and addresses, and phone, national insurance and passport numbers of staff.
They follow a “malicious” attack on the software supplier of Single Central Record (SCR). The company says it manages more than 350,000 staff records at 1,500 schools.
Schools are required by law to keep a single central record of data gathered in checks made on staff before they take up jobs. These can be maintained by external providers, such as SCR, also known as Online SCR.
Criminals claim ownership
SCR was informed of the breach by its software supplier Intradev on Sunday, August 17.
Steve Cheetham, Intradev’s managing director, said the company “identified unauthorised activity within our systems” on August 4 after a “significant IT security” incident.
Speaking on Thursday, he said a “criminal group has claimed to have taken some data from our systems. We are investigating this as a matter of priority and are coordinating with the relevant authorities.”
The breach has been reported to Action Fraud and the Information Commissioner’s Office (ICO).
SCR said it was unable to say how many schools have been hit, but it has provided schools with a list of affected staff.
‘Identity theft risk’
“Breach management” documents sent to schools by SCR say the incident “may increase the risk of phishing, fraud attempts, and identity theft for affected individuals”.
Concerned teachers have taken to social media forum Reddit to ask for advice.
One said they were “feeling very overwhelmed and worried about the potential impact that this could have”.
They also claimed they were informed a month after the breach happened on July 31.
Under GDPR rules, organisations must report data breaches to the relevant authority within 72 hours, with those affected by high-risk incidents also informed “without undue delay”.
SCR said the breach was a “moderate to high risk due to the sensitivity of the data involved”, but no financial or criminal checks were compromised.
In a blog post, Lucas Atkin, the head of information law at Stone King, said if criminals seized data, “it is common [they] threaten to release information on the dark web for auction unless a ransom is paid”.
Schools have been told to inform staff to be “aware” of suspicious emails, phone calls, messages and phishing or impersonation attempts.
They should also avoid “clicking on unusual links” and have been advised to “consider identity protection measures” and to change passwords, including enabling two-factor authentication.
‘Staff asking for compensation’
SCR also told schools to consider registering affected staff to CIFAS, a fraud prevention membership organisation, as a “risk mitigation action”. Membership costs £30.
Claire Archibald, legal director at Browne Jacobson, said staff were asking schools and trusts for compensation, and to pay for new passports.
But she warned employers “must be careful” as there was “no duty on schools and trusts to make such payments”.
They would also likely qualify as “novel, contentious or repercussive transactions”, which required government approval.
Atkin advised schools to put Online SCR “on notice for any expenses of losses which may be incurred or suffered due to the breach”.
Attack a ‘stark reminder’
Jay Ashcroft, a director of School SCR, another provider of record services, and a former trust data protection officer, said schools should “immediately undertake” a comprehensive Data Protection Impact Assessment (DPIA) review of their contracts with Online SCR.
But one expert, speaking anonymously, said they had spoken to trusts who had not completed a DPIA before entering into the contract – which could leave schools open to legal action.
Chelmer Valley High School, in Essex, was reprimanded last year by the ICO for failing to complete at DPIA before introducing facial recognition technology for cashless catering.
Atkin also claimed “most” of the schools Stone King was advising “were not aware that Intradev was involved in the provision of Online SCR’s services”.
Neither company responded to a request for comment about whether schools were told Intradev would have access to their personal data.
Ashcroft said the incident was a “stark reminder that schools can no longer afford to take a casual approach to data protection”.
Of the 67,000 data breaches reported to the ICO since 2019, 9,347 (14 per cent) were from the education and childcare sector. The only sector with more breaches was health (12,422).
SCR said its systems “remain incredibly secure” and it has since revoked access from Intradev.
Cheetham said the “swift response” of its IT team meant systems were “successfully secured and recovered… which meant we were able to minimise operational disruption”.
The NEU has written to schools claiming that 350,000 edcation workers are affected. Why is there a deafening silence in both the national media and from DfE?