The Legal Leader

The Intradev breach is a wake-up call on cyber risk management

The time for naïve optimism on tech security is over. Here’s how school leaders can begin to make informed, strategic decisions about procurement

The time for naïve optimism on tech security is over. Here’s how school leaders can begin to make informed, strategic decisions about procurement

13 Sep 2025, 5:00

The recent cyber-attack on the Online Single Central Record (Online SCR) supplier Intradev has sent shockwaves through the education sector, affecting many schools and thousands of school staff.

While this incident is deeply concerning, it can serve as a learning opportunity for schools in their relationship with edtech vendors.

Ultimately, it highlights the trade-off in risks that often occurs when procuring technology services and the need for robust, proactive risk management.

Outsourcing’s hidden trade-off

Using the services of an external company to manage processes such as your single central record (SCR) and recruitment checks is perfectly valid.

Many edtech vendors provide high-quality platforms that reduce workload as well as risk by efficiently identifying gaps and errors in the record.

However, reducing risks in one area doesn’t eradicate risk altogether. In fact, transferring sensitive data to an external supplier creates a new one.

Many schools we speak to acknowledge they haven’t considered this trade-off, and this is the crux of the problem.

In the case of the Online SCR incident, it was the platform’s own software supplier Intradev that was hit by the cyber-attack. Hackers were then able to access the names, addresses and phone, national insurance and passport numbers of school staff.

This illustrates the complexity of modern data-sharing arrangements and the critical importance of understanding exactly what data flows where.

Therefore, risk management should be front and centre of any technology procurement exercise, never just an afterthought.

Data protection issues aren’t going away

With the Department for Education encouraging schools to embrace AI tools, and Browne Jacobson’s School Leaders Survey last autumn showing that half of schools are using AI tools in the classroom, the volume of data being shared with external vendors is only going to increase.

As a result, so is risk.

The consequences of data being compromised are far and wide. The Information Commissioner’s Office last year reprimanded an Essex school for failing to protect data when installing facial recognition technology, while some staff have been asking for schools to compensate them following the Online SCR cyber-attack.

Strategic risk management

The first time that trustees or governors become aware of risk shouldn’t be when they are asked to deal with a data breach. Maturely accepting and managing vendor risk means:

Involving Data Protection Officers (DPOs) from the outset

Schools should always assess data risks and conduct vendor due diligence before entering into contracts. Your DPO should be involved from the very beginning of any tech procurement exercise to help to bring a focus on data protection risks.

Conducting thorough Data Protection Impact Assessments (DPIAs)

When talking to vendors, read their terms and conditions, and privacy notices. A DPIA isn’t just a box-ticking exercise; it’s your opportunity to understand and mitigate risks before they materialise.

Get proper legal advice

When entering into high-risk processing activities where significant amounts or sensitive personal data might be shared, seek independent legal advice to review or draw up contracts that ensure any risks are effectively mitigated.

Transparent governance

Schools might decide after reading the contract that there is still risk. However, they can then ensure their governors or trustees are making a fully-informed decision on whether to proceed.

The Online SCR incident should be a wake-up call for the entire education sector.

The worst thing schools can do is fail to acknowledge risk at outsourcing tasks to edtech vendors. Instead, they must start viewing edtech procurement through a risk management lens, understanding that every technological solution promising to solve one problem may well create others.

The key is not to avoid all risk. That would be impossible and counterproductive. Instead, it is to understand, assess and consciously manage it.

The future of education technology is bright, but only if we approach it with our eyes wide open to both its benefits and its risks. The time for naive optimism is over; the era of informed, strategic decision-making must begin now.

Latest education roles from

Chief Education Officer (Deputy CEO)

Chief Education Officer (Deputy CEO)

Romero Catholic Academy Trust

Director of Academy Finance and Operations

Director of Academy Finance and Operations

Ormiston Academies Trust

Principal & Chief Executive

Principal & Chief Executive

Truro & Penwith College

Group Director of Marketing, Communications & External Engagement

Group Director of Marketing, Communications & External Engagement

London & South East Education Group

Sponsored posts

Sponsored post

How accurate spend information is helping schools identify savings

One the biggest issues schools face when it comes to saving money on everyday purchases is a lack of...

SWAdvertorial
Sponsored post

Building Character, Increasing Engagement and Growing Leaders: A Whole School Approach

Research increasingly shows that character education is just as important as academic achievement in shaping pupils’ long-term success. Studies...

SWAdvertorial
Sponsored post

Educators launch national AI framework to guide schools and colleges

More than 250 schools and colleges across the UK have already enrolled in AiEd Certified, a new certification framework...

SWAdvertorial
Sponsored post

How Learner-Led Computing Promotes Student Engagement

For 15 years, Apps for Good has been championing digital education, empowering young people from all backgrounds - especially...

SWAdvertorial

Your thoughts

Leave a Reply

Your email address will not be published. Required fields are marked *