ICO reprimands Finham Park Multi Academy Trust following cyber-security breach

Laura Rae
Laura Rae

Published: December 7th, 2023

7 min read

The Information Commissioner's Office (ICO) has recently announced its decision to reprimand Finham Park Multi Academy Trust (the MAT), after an unauthorised third party accessed and encrypted the MAT's systems.

Background

The MAT reported a cyber-security breach to the ICO following unauthorised access to its systems by a third party. It was identified that the third party used compromised log-in credentials to gain access to and encrypt the MAT's IT systems.

Prior to the incident, the MAT reported three similar incidents to the ICO, following which the ICO issued guidance to the MAT outlining the importance of implementing appropriate password policies and account management procedures. As part of its investigation into the MAT's most recent security breach, the ICO identified that it had failed to follow the guidance previously issued and therefore had not implemented appropriate technical and organisational measures to secure its systems. This failure to act was ultimately deemed an aggravating factor in the decision to reprimand the MAT.

Findings

Following its investigation, the ICO identified breaches of the following provisions of the UK GDPR:

  • Article 5(1)(f) - principle of integrity and confidentiality.

  • Article 32(1) - security of personal data.

In support of this decision, the ICO explained that the MAT did not have sufficient measures in place to ensure confidentiality and integrity of its systems. For example, it had an inadequate lockout policy, despite the advice of the National Cyber Security Centre, and had reversable password encryption enabled. In the ICO's view, these measures could have reduced the likelihood of an attack occurring.

Another influencing factor in the decision was that the MAT did not have multi-factor authentication (MFA) as part of its login procedures and that employees did not have sufficient knowledge and understanding regarding the re-use of passwords. Again, it was speculated by the ICO that had this training been effectively delivered, it was possible that the incident could have been avoided.

The reprimand

In providing its recommendations, the ICO acknowledged that the MAT had taken a number of remedial steps in light of the security breach, including the implementation of MAT-wide MFA, creation of a digital transformation project plan and IT system restoration.

Notwithstanding these actions, the ICO decided to issue a formal reprimand to the Council in respect of the identified infringements of the UK GDPR.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would publish details of reprimands on its website. Therefore, despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

This reprimand reinforces the need for all schools to have robust IT security policies and procedures in place, given the sensitivity and large amount of data they hold. By having clear password policies and lockout procedures, schools should significantly reduce the likelihood of cyber-security incidents occurring, but then also have a clear process for managing and mitigating the effects of these incidents when they occur.

Alongside this, staff should be made aware of the importance of password security and regularly updating passwords, as part of regular data protection training.

This decision provides a clear indication to schools that reporting the issue to the ICO manages only one aspect of compliance. Should schools then fail to implement the guidance issued by the ICO as a result of a breach, the ICO will consider these actions as part of its approach to enforcement moving forwards.


For further information please contact Laura Rae

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.