Teen reveals security risk to schools’ pupil files
Confidential information on thousands of students could have been breached after a teenager revealed that a software programme used by schools had a shared login.
The software company Serco, which provides the ePortal system to more than 400 Irish schools, has been asked by the Department of Education to act urgently to reduce the security risk that emerged last week.
The software is used by principals and teachers to record information on attendance, test results, behaviour issues and staff comments about pupils.
The problem came to light after the department was told by a parent that his child reported being able to access the web portal in his school. But not alone was a shared user name and password being used in the school, it was claimed other schools may have been using the same login information.
This meant there was a risk that anybody with the user name and password could access confidential information from a number of schools. It is unknown how this happened but it is understood that schools may have been using default log-in information instead of changing it after first use.
The use of generic log-in details is believed to be common in some schools for substitute teachers, although such staff might have restricted access, meaning they can use the system in school but not externally.
Mohamad Djahanbakhsh, managing director of Serco Learning, said: “We understand that some schools have been using a generic password and username to access their e-portal product. We have contacted schools using e-portal and advised them to take immediate action to delete and disable any generic login details. Serco takes the issue of data security very seriously, that is why we are also offering additional guidance to schools on the allocation and maintenance of secure user names and passwords.”
The company website says 430 Irish schools use the ePortal system. Its features include allowing remote access by teachers from home to enter test results or upload student reports and other confidential information. It is understood to require different login details to another commonly used Serco administration package that stores more personal details, such as dates of birth, photos, contact details and medical information held by schools.
A Department of Education spokeswoman said it contacted the company after being made aware last Wednesday of the alleged security breach and accessing of pupil data in another school using the same username and password. She said the firm was asked to take immediate action to alert schools that have ePortal of the potential risk to personal data, and to take the necessary corrective action.
The school where the alleged breach happened was advised by the department to have the user account in question disabled by the software company, to find ways of informing anyone as soon as possible, and to inform the Office of the Data Protection Commissioner.
It is unclear what sector the school is in but the Joint Managerial Body (JMB), which represents religious-owned second-level schools, said it is confident this was an isolated issue.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
