PERSONAL RECORDS of thousands of secondary school pupils – including their academic records, parents’ details and disciplinary history - could be available to view by any internet user, TheJournal.ie can reveal.
A grave security flaw in the data management systems used by a large number of Irish secondary schools means that highly sensitive data is available to anyone – armed with only a generic username and password.
The systems, which run on servers physically installed in the schools, use ‘ePortal’ software created by the British services giant Serco and can be accessed remotely through the internet – though all data is hidden to anyone without a password.
But a default, generic username and password combination – which is now said to have been leaked online – allows full access to almost all of the ePortal servers run in Irish schools, opening up public access to thousands of pupils’ records.
The leak of this combination – which can be thought of as a master key, allowing anyone with them to log in to any Irish school’s ePortal server – means the personal data of the pupils in those schools can be accessed quickly and easily.
Using these ‘master key’ credentials, it is possible to access records of a number of students in various schools. These records include:
- The pupil’s photograph
- Their date of birth
- Their parents’ names and contact phone numbers
- Details of any of the pupil’s siblings who are also enrolled in the school
- The name of the pupil’s family doctor
- The classes in which that pupil is enrolled, and their individual timetable
- The pupil’s attendance records
- Records of the student’s misconduct, including disruptive behaviour or homework not completed, and
- Results of that pupil’s in-house examinations for as long as the system has been live, and their results in any state exams.
Several schools include links to their ePortal servers on their websites – ostensibly to allow teachers to log in and update a pupil’s records from home.
However, the public display of this link means anyone with the ‘master key’ credentials can easily find and access all records for the pupils of that school.
Used by a schoolchild on Wednesday
A spokeswoman for the Department of Education said it became aware of the issue on Wednesday when a parent notified it that their child had been able to log into their own school’s server, and that of another school, using only the generic username and password.
The Department had contacted Serco to inform them of the breach, and had “requested them to take urgent and immediate action to alert schools that had purchased the E-portal application of the potential risk to any personal data held by the school, and to take whatever corrective action is deemed necessary to reduce any risk”.
It also informed the managerial bodies for voluntary secondary schools, vocational schools, and community and comprehensive schools to inform them about the issue so that they could in turn advise their member schools.
The school where the issue first arose has been told to contact the software supplier to have the user account disabled, inform those affected by the alleged breach, and to contact the Data Protection Commissioner.
Many schools’ servers remain open to public access this weekend, however – and can still be accessed using the ‘master key’ credentials.
The Department stressed that the data management packages used by schools is chosen on a case-by-case basis by each school’s board of management, and that the Department had no role in choosing or operating the software.
This is borne out by records of tenders issued by the Department, which do not include any school management software packages.
It is not known how many of Ireland’s 722 second-level schools use the ePortal software, but search records on Google show that a considerable number operate the system – or, at least, offer public links to their system from their own websites.
In a statement to TheJournal.ie, Serco Learning managing director Mohamad Djahanbakhsh said the company had been in touch with schools using ePortal to notify them of the vulnerability and “to advise that immediate action should be taken by any school using a generic login to disable it”.
“The use of a generic login is common place for set-up and installation of software and hardware products and our advice to users is always to delete such logins immediately after setup,” he said.
“Serco takes the issue of data security very seriously – that is why we are also offering additional guidance to schools on the allocation and maintenance of secure usernames and passwords.”
The Office of the Data Protection Commissioner could not be reached for comment.