Hampshire School Information Hacked
A secondary school has been rebuked after the details of thousands of people, including pupils, were left exposed when a hacker targeted its website.
Bay House School in Hampshire was found to have breached the Data Protection Act by the Information Commissioner's Office.
The hacking attack, by a pupil at the school, saw the names, addresses, photographs and medical information of 7,600 pupils exposed, plus personal details of pupils' parents and teachers.
In all, around 20,000 people were affected, the ICO said.
Its investigation into the attack, which happened in March, found that a teacher at Bay House School had used the same password to access both the school's website and its internal data systems.
This password was then used by the pupil to gain entry to other parts of the school's systems, potentially allowing them to access the details of individuals.
The school had advised staff to use different passwords, the ICO found, but no checks were made to ensure this happened.
ICO acting head of enforcement Sally Anne Poole said:
''While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to log in to data systems that are supposed to be kept secure.
''This is particularly important when the systems allow access to sensitive information relating to young adults.
''We are pleased that Bay House School has agreed to take action to improve the security of the personal information they hold.''
The school's headteacher, Ian Potter, has signed an undertaking to ensure that reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school's systems.
It will also makes sure that staff understand the policy on passwords and regularly test the website to ensure that the personal information it holds is secure.