A school in Hampshire has been criticised by the Information Commissioner’s Office (ICO) after poor password controls resulted in a hack on its system that exposed details of 20,000 individuals, including 7,600 pupils.

According to the ICO, a member of staff at the school – Bay House School in Gosport, Hampshire – was using the same password to access the school’s website and data management system.

A pupil accessed these systems and obtained information that included pupils’ names, addresses, photographs and some sensitive information relating to their medical history. Information relating to the pupils’ parents and teachers was also compromised during the breach, which occurred in March this year.

Although the school had advised members of staff to use different passwords for different systems no checks were in place to ensure this policy was followed.

"While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to login to data systems that are supposed to be kept secure," said Sally Anne Poole, Acting Head of Enforcement at the ICO.

"This is particularly important when the systems allow access to sensitive information relating to young adults," she added.

The school’s head, Ian Potter, has signed an agreement to ensure all reasonable measures are taken to encrypt and separate sensitive and confidential information held on the school’s management system. The school will also educate staff on the use of passwords and regularly test its website for vulnerabilities.

"This case highlights the importance – to businesses and individuals – of using distinct passwords for different computer accounts. Sadly, all too often the same password is used for everything. This is potentially dangerous because if this password is discovered, ALL accounts you access using this password can be compromised," said Kaspersky Lab’s senior security researcher David Emm.

Emm went on to say that while he understands the difficulty in remembering a number of different passwords so suggests the use of a password management application. "Alternatively, individuals can use an easy-to-remember passphrase as the core of each password and apply a few rules to tweak it for each account," he added.

Colin Woodland, VP EMEA at IronKey, criticised the ICO for not taking a strong line. "The ICO has had the power to fine organisations for data breach or loss for over a year now, however very few cases have resulted in a fine being imposed," he said. "And truthfully organisations aren’t exactly living in fear because there simply isn’t any clarity on what level of breach or loss will invoke a fine. Only last week Manchester Police lost a USB device, the second instance in the last 12 months, yet they’ve never had any fine imposed."

"As long as the ICO don’t have to make public the rationale for their judgements into individual cases, then organisations will lack clear guidance on what will happen to them when they lose data or have a data breach, and sadly we’ll never see an end to horror stories of this type appearing in the press," he added.