Thursday 15 November 2012

Data Protection Commissioner investigating secondary schools’ security flaw

The data watchdog has asked the manufacturer of potentially vulnerable software to provide a full list of affected schools. The DPC is now investigating a security vulnerability with software used by hundreds of Irish schools. The DPC has contacted the manufacturer of a popular school management software product, asking for a list of the schools which run the software. 

The contact comes after it was revealed that the ePortal software, manufactured by Serco, was vulnerable to exploitation because of the existence of a username-and-password combination which would allow access to almost every Irish machine running the software. The issue is made particularly sensitive by the fact that many schools running the software have their systems set up so that they can be accessed remotely, from any internet-connected device. While this makes it more convenient for teachers to log in and update pupils’ records from home, it also means that school’s records are vulnerable to access by anyone who has the ‘master key’ combination of username and passwords.

The Department of Education has contacted school patrons asking them to advise their schools about the issue, but the Data Protection Commissioner is now also taking action to resolve the problem. Deputy data protection commissioner Gary Davis said last night the issue was “of huge interest of us” and that the office had been in contact with Serco seeking documentation about the product and the nature of the vulnerability. “We’re asking them for a copy of their client list, and then what we’ll probably do is approach the schools directly,” he said.

Thousands of pupils may be affected. While Davis said the fact that the ePortal software runs on servers physically housed within each school, the DPC was also keen to ensure that no similar difficulties arose with rival products where pupils’ data is stored ‘in the cloud’ - and therefore accessible to any internet user with the right password. Davis said such products “give rise to some concerns” about potential a similar vulnerability, if it existed, could leave pupils’ data open to access from inappropriate parties.

There are 722 second-level schools in the country, with a combined student body of 323,000 pupils. While each school is responsible for choosing and maintaining its own data products, it is thought that several hundred schools use the ePortal offering - suggesting that data of tens of thousands of pupils could be at risk. Though a minority of those schools have set up their systems to be accessible through the internet, most schools would make the system available to any computers on the network within their buildings, so the records would still be vulnerable to use by anyone within the school. Fianna Fáíl last night asked education minister Ruairí Quinn to clarify the details of the threat, after the Department of Education wrote to schools to warn them of the problem. “Parents across the country will be extremely worried to learn that the private and personal information of their children may have been accessed by unauthorised individuals,” the party’s education spokesman Charlie McConalogue said. “It is incumbent on Minister Quinn to explain how exactly this happened and what is being done now to rectify the situation.”

The ‘master key’ credentials, which were discovered last week, by a pupil in one school running the software, could allow anyone to access sensitive personal data - possibly including medical records - of thousands of Irish second-level pupils.