Hampshire school data breach highlights need for multiple passwords

Security professionals continually remind organisations to vary the passwords they use to prevent hackers who may capture one password from using it to get unauthorised access elsewhere.

The Information Commissioner's Office (ICO) found the school in breach of the Data Protection Act after a pupil was able to access confidential information.

The young hacker discovered the password after gaining unauthorised access to the school's website and then used it to access the school's data management system, which shared the same password.

The data management system contained personal details of pupils, including addresses, photographs and sensitive medical information.

The school, which took immediate action to restore security of the website, reported the data breach to the ICO.

The ICO's investigation found that although the school had advised staff to use different passwords, no checks had been put in place to ensure the policy was being followed.

Failure to enforce security policies is another recurring theme in reports about weaknesses in information security practices in both public and private organisations.

A survey published in May revealed that 64% of UK workers are given no IT security training in the workplace.

Sally Anne Poole, acting head of enforcement at the ICO, said it is vital that individuals do not use the same password to log in to data systems that are supposed to be kept secure.

"This is particularly important when the systems allow access to sensitive information relating to young adults," she said.

The use of different passwords is a key principle in the ICO's guidance on protecting personal information online.

Ian Potter, head teacher of Bay House School, has signed an undertaking to ensure that all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's management system.

The school has undertaken to ensure that all staff understand the school's guidance on the use of passwords and to test the school's website regularly to check that personal information remains secure.

David Emm, senior security researcher at Kaspersky Lab, says the Bay House data breach raises the the question of how to remember unique passwords for each service or application.

Most people find this difficult, especially if they want to take the precaution of creating complex, difficult-to-guess passwords that mix letters, numbers and non-alphanumeric characters.

But there are solutions, says Emm.

"A password manager application, for instance, creates and remembers all passwords, and stores them securely behind a single password," he said.

Alternatively, Emm suggests using an easy-to-remember passphrase as the core of each password and then applying a few rules to tweak it for each account.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?