An educational institution’s improper password management led to unauthorised access to the personal data of students and parents – DPP 4 – security of personal data
Background
An educational institution reported to the PCPD that a hacker had acquired the administrator password of its information management system through a brute force attack and created a new account with administrative rights to access the personal data stored in it. The incident affected the personal data of more than 24,000 parent and student users. Investigation revealed that the incident was due to improper password management, which failed to protect the administrator account in accordance with industry best practices.
Remedial Measures
Upon receipt of the notification from the institution, the PCPD initiated a compliance check and provided recommendations to the institution to ensure compliance with the relevant provisions of the PDPO. In response, the institution implemented remedial measures, including two-factor authentication for its information management system to provide an additional layer of protection for system accounts, strong passwords, regular purging of unnecessary accounts and an enhanced training programme to raise employees’ awareness of data privacy protection.
Lesson learnt
Educational institutions typically hold a large amount of personal data about students and their parents for administrative and educational purposes. There is an increasing trend of adopting online learning models by educational institutions. While reaping the benefits of information technology, these institutions should not overlook the accompanying privacy risks, especially regarding the personal data of children and youngsters. Organisations managing personal data systems need to remain vigilant and implement appropriate security policies, measures and procedures (e.g. utilising multi-factor authentication and adopting suitable password management policies) to minimise the risks of unauthorised or accidental access, processing, erasure, loss or use of personal data.
(Uploaded in February 2024)