The Importance of Data Wiping in Schools 5 Aug 2021
Schools work with an incredibly large amount of sensitive data. This data is stored and kept digitally, including student and staff names, dates of birth and addresses. For instance, if a school were to be on the receiving end of a data breach, this information could be stolen and used against the victims. In turn, the school could be liable for the failure to protect the data if they did not follow their internal procedures or had inadequate security systems. It is therefore essential for all schools to ensure their data is completely protected.
But what exact type of data do schools keep stored?
Anything relating to the identities of pupils and staff is stored within a school’s database. If this personal information is stolen, their identities are at risk of being leaked and could lead to potential harm. Everyone is entitled to their own privacy. This is even stated in Article 8 of The Human Rights Act; data must be kept solidly secure by organisations such as schools.
Examples of personal information a school may store include:
- Names and dates of birth for both pupils and staff;
- Images of pupils and staff confirming their identity;
- National Insurance numbers;
- Addresses of pupils and staff;
- Recruitment information;
- Financial records, such as tax information and bank details;
- Information relating to pupil behaviour and school attendance;
- Medical records, including GP names and medical conditions;
- Exam results and class grades;
- Staff development reviews;
- School assessments and marks;
- Safeguarding information, including data related to SEN assessments.
The importance of data protection in schools.
It is a school’s duty of care to protect and safeguard all children who attend or have attended their education facility. This includes creating and maintaining a safe learning environment both physically and digitally, as well as the handling of their personal information, which has further links to their safety outside of school. Failure to do this may result in potential harm, thus going against the various UK Health and Safety laws expected of them.
As previously stated, schools have to protect the data of their staff and pupils since any breach could be in violation of Article 8 in The Human Rights Act. Furthermore, the resulting data breaches may then lead to legal cases with the affected individuals, further tarnishing the school’s reputation and involving significant financial loss. Solid data protection, therefore, helps avoid all of this mess.
How to reduce risk in schools.
There must be measures outlined to prevent data breaches from happening in the first place. Next, schools should consider even the most basic cybersecurity protections as it could persuade attackers to try another weaker, easier target. Following that, it is important to update and shift consistently. Changing passwords and updating cybersecurity measures every so often will ensure that the school is harder to break down and breach. It can almost be seen as a cat and mouse game. That is why consulting a cybersecurity expert is key to keeping this act up.
Learning from other cases can help inform schools on the best approaches to data breaches. For example, a hacker managed to gain access to a school’s computer system through the remote desktop protocol (RDP). The port was exposed directly to the internet, allowing hackers to use scanning tools to identify weak points in the cybersecurity system.
As the school’s local administrator account had a weak password, the hacker was able to gain access via a brute force attack. There was no multi-factor authentication enabled either, making it as simple as walking through an unlocked door. Ransomware was then unleashed, locking the school out of its systems and demanding a payment of 2 bitcoin for the decryption key.
The incident was reported to CFC’s response team, who were able to identify the ransomware variant and use a freely available decryption key to begin decrypting the affected data. However, the attack had impacted servers containing sensitive data, including parents’ names, phone numbers, and addresses; data on past and present students, such as grades, attendance, and medical records; information on staff, such as contact details, addresses and bank account details; and information on prospective students likely to be inducted next school year.
After a forensic investigation, it transpired that the ransomware variant was not known to be capable of accessing or exfiltrating personal data. The bandwidth usage logs did not show high levels of traffic during the attack period, indicating no major data exfiltration. The hacker had only been logged on to the school’s computer systems for a short period of time, suggesting they were focused on deploying the ransomware rather than seeking out sensitive data.
Although this was good news, it actually highlights the flaws within the school’s cybersecurity system and how easy it could have been for the hacker to have stolen the data. Proper measures that prevent hackers from gaining access is completely necessary, saving a lot of hassle and potential legalities. The school in question was very lucky to come out unscathed.
When do you need to wipe technology, and how?
There are three times when you need to wipe technology thoroughly. This is when:
- an employee leaves;
- the tech dies;
- you sell an old software.
Doing so will ensure that any associated data is kept secure and private to the school and individuals involved. Hackers should have absolutely nothing to go off of. Being careful and cautious is the best policy. Leaving any scraps to be taken advantage of is most definitely not.
To get comprehensive and effective help for wiping technology completely, find out which WipeDrive product is the perfect solution for your school’s cybersecurity problems. For more information, call us on 0345 340 3105 to speak to our team, or fill out our enquiry form today!