Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Dublin: 16°C Tuesday 16 August 2022

Data Protection Commissioner investigating secondary schools' security flaw

The data watchdog has asked the manufacturer of potentially vulnerable software to provide a full list of affected schools.

Data Protection Commissioner Billy Hawkes and his deputy Gary Davis: the DPC is now investigating a security vulnerability with software used by hundreds of Irish schools.
Data Protection Commissioner Billy Hawkes and his deputy Gary Davis: the DPC is now investigating a security vulnerability with software used by hundreds of Irish schools.
Image: Sam Boal/Photocall Ireland

IRELAND’S DATA SECURITY WATCHDOG has contacted the manufacturer of a popular school management software product, asking for a list of the schools which run the software.

The contact comes after it was revealed that the ePortal software, manufactured by Serco, was vulnerable to exploitation because of the existence of a username-and-password combination which would allow access to almost every Irish machine running the software. revealed on Saturday that the ‘master key’ credentials, which were discovered last week, by a pupil in one school running the software, could allow anyone to access sensitive personal data – possibly including medical records – of thousands of Irish second-level pupils.

The issue is made particularly sensitive by the fact that many schools running the software have their systems set up so that they can be accessed remotely, from any internet-connected device.

While this makes it more convenient for teachers to log in and update pupils’ records from home, it also means that school’s records are vulnerable to access by anyone who has the ‘master key’ combination of username and passwords.

The Department of Education has contacted school patrons asking them to advise their schools about the issue, but the Data Protection Commissioner is now also taking action to resolve the problem.

Deputy data protection commissioner Gary Davis said last night the issue was “of huge interest of us” and that the office had been in contact with Serco seeking documentation about the product and the nature of the vulnerability.

“We’re asking them for a copy of their client list, and then what we’ll probably do is approach the schools directly,” he said.

Thousands of pupils may be affected

While Davis said the fact that the ePortal software runs on servers physically housed within each school, the DPC was also keen to ensure that no similar difficulties arose with rival products where pupils’ data is stored ‘in the cloud’ – and therefore accessible to any internet user with the right password.

Davis said such products “give rise to some concerns” about potential a similar vulnerability, if it existed, could leave pupils’ data open to access from inappropriate parties.

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article.

Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

There are 722 second-level schools in the country, with a combined student body of 323,000 pupils. While each school is responsible for choosing and maintaining its own data products, it is thought that several hundred schools use the ePortal offering – suggesting that data of tens of thousands of pupils could be at risk.

Though a minority of those schools have set up their systems to be accessible through the internet, most schools would make the system available to any computers on the network within their buildings, so the records would still be vulnerable to use by anyone within the school.

Fianna Fáíl last night asked education minister Ruairí Quinn to clarify the details of the threat, after the Department of Education wrote to schools to warn them of teh problem.

“Parents across the country will be extremely worried to learn that the private and personal information of their children may have been accessed by unauthorised individuals,” the party’s education spokesman Charlie McConalogue said.

“It is incumbent on Minister Quinn to explain how exactly this happened and what is being done now to rectify the situation.”

Read: Irish pupils’ records at risk in major data protection threat

About the author:

Gavan Reilly

Read next: