Deputy data Protection Commissioner Ireland
The data watchdog has asked the manufacturer of potentially vulnerable software to provide a full list of affected schools.
Data Protection Commissioner Billy Hawkes and his deputy Gary Davis: the DPC is now investigating a security vulnerability with software used by hundreds of Irish schools.
Image: Sam Boal/Photocall Ireland
IRELAND’S DATA SECURITY WATCHDOG has contacted the manufacturer of a popular school management software product, asking for a list of the schools which run the software.
The contact comes after it was revealed that the ePortal software, manufactured by Serco, was vulnerable to exploitation because of the existence of a username-and-password combination which would allow access to almost every Irish machine running the software.
TheJournal.ie revealed on Saturday that the ‘master key’ credentials, which were discovered last week, by a pupil in one school running the software, could allow anyone to access sensitive personal data – possibly including medical records – of thousands of Irish second-level pupils.
The issue is made particularly sensitive by the fact that many schools running the software have their systems set up so that they can be accessed remotely, from any internet-connected device.
While this makes it more convenient for teachers to log in and update pupils’ records from home, it also means that school’s records are vulnerable to access by anyone who has the ‘master key’ combination of username and passwords.
The Department of Education has contacted school patrons asking them to advise their schools about the issue, but the Data Protection Commissioner is now also taking action to resolve the problem.
Deputy data protection commissioner Gary Davis said last night the issue was “of huge interest of us” and that the office had been in contact with Serco seeking documentation about the product and the nature of the vulnerability.
“We’re asking them for a copy of their client list, and then what we’ll probably do is approach the schools directly, ” he said.
Thousands of pupils may be affected
While Davis said the fact that the ePortal software runs on servers physically housed within each school, the DPC was also keen to ensure that no similar difficulties arose with rival products where pupils’ data is stored ‘in the cloud’ – and therefore accessible to any internet user with the right password.
Davis said such products “give rise to some concerns” about potential a similar vulnerability, if it existed, could leave pupils’ data open to access from inappropriate parties.
There are 722 second-level schools in the country, with a combined student body of 323, 000 pupils. While each school is responsible for choosing and maintaining its own data products, it is thought that several hundred schools use the ePortal offering – suggesting that data of tens of thousands of pupils could be at risk.
You might also like
Here, you moron FREAK is your proof. Now, Kiss my assby to-freakgeek
Rising Fears That What We Do Know Can Hurt
Information: The government is pulling back on previously shared data to keep it from aiding terrorists.
By ERIC LICHTBLAU, Times Staff Writer
WASHINGTON -- The document seemed innocuous
enough: a survey of government data on reservoirs and
dams on CD-ROM. But then came last month's federal
directive to U.S. libraries: 'Destroy the report.'
So a Syracuse University library clerk broke the disc
into pieces, saving a single shard to prove that the
deed was done
Scores of blunders sees Norfolk councils breach data laws over confidential .. — Norfolk Eastern Daily Press
Information Commissioner Christopher Graham has previously called for councils to take their responsibilities for protecting personal data more seriously. He said in 2012: “There is clearly an underlying problem with data protection in local government.”.