More than 700 data breaches at schools and academies reported in just the last year

Publications that covered this story include the Times Educational Supplement on 21 November 2018.
  • Universities and colleges reported an additional 446 data breach incidents in 2016/17, while nurseries reported 47
  • Schools at significant risk of ICO fines following a data breach

703 data breach incidents at UK academies and other schools were reported to the Information Commissioners Office (ICO) in 2016/17, rising 4% from 674 the previous year*, our research shows.

Schools are particularly at risk of being targeted by fraudsters because, unlike many larger businesses, they frequently lack the budgets to put robust data security structures in place.

Fraudsters are often known to target private schools because they hold large amounts of financial data, which could be used to extort money from parents. One example involves hackers using a school’s IT systems to send out false invoices for school bills and fees.

Data breaches are security incidents in which personal, financial or other confidential data is lost through cyber-attacks or accidental leaks. Historically, the ICO has levied some of its biggest fines for breaches against organisations that have lost data related to minors, or had it stolen.

Over the same period nurseries saw a 27% rise to 47 data breach reports to the ICO, up from 37. Universities and colleges saw a small rise in the number of data breaches reported to the ICO, to 446 in 2016/17, up from 443 the year before.

Schools are now at a serious risk of large fines if they fail to report data breaches, following the introduction of GDPR in May 2018. It is now compulsory for all organisations to report any data breach where there is a risk to people’s data security, including incidents where no information is actually lost or stolen.

ICO fines under GDPR are proportionate to the risk posed by a data breach, and therefore the regulator is unlikely to levy large fines on smaller schools and academies where data on pupils has not been put at risk. The ICO has also made it clear that it will not be issuing large fines to make examples of businesses for minor incidents.

The ICO fined Greenwich University £120,000 in May 2018, for a security breach in 2016 where the personal data of 19,500 students was placed online.

Allan Hickie, head of the academies sector at UHY Hacker Young, says: “Cyber-attacks could cause schools extensive reputational damage, especially if the personal data of children and parents is compromised.”

“As almost all data is now stored electronically, safeguards must be put in place to ensure that schools’ sensitive data is kept secure. Parents must be reassured that the information held on their children, and their own financial data, is kept safe.”

“Many private and independent schools are attractive to fraudsters, as school fees that they are attempting to redirect are often of high value. It is vital that schools have strong data security in place.”

Data breach incidents reported to the ICO have risen 4% in the last year to 703 in 2016/17

*Data security incident trends, year-end September 2017, ICO