DfE Breach Exposes 28 Million Children

The Sunday Times revealed that 28 million children’s personal information were exposed after betting companies were given access to a Department for Education (DfE) database.

The Learning Record Service database, stores information on students in England, Wales and Northern Ireland choosing to take post-14 qualifications like GCSEs.

However, the report in The Sunday Times revealed that the third party data intelligence firm GB Group signed an agreement which enabled their clients to use the data for age and ID verification on their betting websites.

The DfE have since disabled this database, informed the Information Commissioners Office (ICO) of the breach and have begun to conduct their own internal investigation. GB Group have also started their own investigation into the report.

If the ICO decide to look into the breach, it could develop into a significant GDPR investigation which could have huge financial implications for those involved.

A spokesperson told The Sunday Times:

“This was completely unacceptable, and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action.”

The Children’s Commissioner for England, Anne Longfield, is reported to have said she was

“very shocked to learn that data has been handed over in this way.”

Javvad Malik, KnowBe4 Security Awareness Advocate, said:

“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it – which in this case has not happened.

“In all of this, the responsibility sits squarely with the Department for Education, which has collected vase amounts of children’ data for nearly a decade with apparently little oversight.”

What steps do you take to ensure your data is secure?

X