We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Data Protection Commissioner Billy Hawkes and his deputy Gary Davis: the DPC is now investigating a security vulnerability with software used by hundreds of Irish schools. Sam Boal/Photocall Ireland
Data Protection

Data Protection Commissioner investigating secondary schools' security flaw

The data watchdog has asked the manufacturer of potentially vulnerable software to provide a full list of affected schools.

IRELAND’S DATA SECURITY WATCHDOG has contacted the manufacturer of a popular school management software product, asking for a list of the schools which run the software.

The contact comes after it was revealed that the ePortal software, manufactured by Serco, was vulnerable to exploitation because of the existence of a username-and-password combination which would allow access to almost every Irish machine running the software. revealed on Saturday that the ‘master key’ credentials, which were discovered last week, by a pupil in one school running the software, could allow anyone to access sensitive personal data – possibly including medical records – of thousands of Irish second-level pupils.

The issue is made particularly sensitive by the fact that many schools running the software have their systems set up so that they can be accessed remotely, from any internet-connected device.

While this makes it more convenient for teachers to log in and update pupils’ records from home, it also means that school’s records are vulnerable to access by anyone who has the ‘master key’ combination of username and passwords.

The Department of Education has contacted school patrons asking them to advise their schools about the issue, but the Data Protection Commissioner is now also taking action to resolve the problem.

Deputy data protection commissioner Gary Davis said last night the issue was “of huge interest of us” and that the office had been in contact with Serco seeking documentation about the product and the nature of the vulnerability.

“We’re asking them for a copy of their client list, and then what we’ll probably do is approach the schools directly,” he said.

Thousands of pupils may be affected

While Davis said the fact that the ePortal software runs on servers physically housed within each school, the DPC was also keen to ensure that no similar difficulties arose with rival products where pupils’ data is stored ‘in the cloud’ – and therefore accessible to any internet user with the right password.

Davis said such products “give rise to some concerns” about potential a similar vulnerability, if it existed, could leave pupils’ data open to access from inappropriate parties.

There are 722 second-level schools in the country, with a combined student body of 323,000 pupils. While each school is responsible for choosing and maintaining its own data products, it is thought that several hundred schools use the ePortal offering – suggesting that data of tens of thousands of pupils could be at risk.

Though a minority of those schools have set up their systems to be accessible through the internet, most schools would make the system available to any computers on the network within their buildings, so the records would still be vulnerable to use by anyone within the school.

Fianna Fáíl last night asked education minister Ruairí Quinn to clarify the details of the threat, after the Department of Education wrote to schools to warn them of teh problem.

“Parents across the country will be extremely worried to learn that the private and personal information of their children may have been accessed by unauthorised individuals,” the party’s education spokesman Charlie McConalogue said.

“It is incumbent on Minister Quinn to explain how exactly this happened and what is being done now to rectify the situation.”

Read: Irish pupils’ records at risk in major data protection threat

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.