Ignored password security policy leads to school data breach

Password reuse made it easy for a student hacker to get into the Gosport's Bay House School database and expose the details of nearly 20,000 people.

The headmaster of a Hampshire comprehensive school has been forced to apologise after a student hacked into the school’s systems and exposed thousands of personal records.

The password databases that our friends at Anonymous and LulzSec published all seem to indicate that some quite important hacks took place [because of re-used passwords].

Peter Wood, Chairman, First Base Technologies

The attack, which took place in March at Bay House School in Gosport, was immediately reported to the Information Commissioner’s Office (ICO) and the school must now initiate a public undertaking to better enforce its own security policies.

In an announcement, the ICO said the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during an attack on the school website. The files compromised included some medical information about pupils, as well as information about parents and teachers.

According to the ICO, the attack was made easier because a member of staff was using the same password to access both the school’s website and data management systems. Having discovered the staff member’s password while hacking into the remote-hosted website, the pupil was able to access the school’s own administration systems. The school said it had advised staff to avoid the use of duplicate passwords, but did not enforce the policy.

Ian Potter, the school’s headmaster, issued a statement on the ICO website, admitting the breach, and saying that “computer hackers, including at least one of the school’s own pupils” were responsible.

Potter also promised the school will “encrypt and segregate sensitive and confidential information held on the data controller’s information management system, from basic identification and contact details,” and that staff will be made properly aware and trained in password policies. The school will also now undergo an annual penetration test.

David Emm, senior security researcher for Kaspersky Lab, said the case underlines the need for a more thoroughly enforced password security policy, and the necessity of avoiding the same password for different systems, but admitted users find it hard to remember multiple passwords, especially if they are complex and mix letters, numbers and special characters. “But there are solutions,” he said. “A password manager application, for instance, creates and remembers all passwords, and stores them securely behind a single password.  Alternatively, individuals can use an easy-to-remember passphrase as the core of each password and apply a few rules to tweak it for each account.”

Peter Wood, chairman of Brighton-based consultancy First Base Technologies, agreed. “The reuse of passwords is emerging as a massive problem,” he said. “The password databases that our friends at Anonymous and LulzSec published all seem to indicate that some quite important hacks took place on the back of that very problem.”

He too advocates using a password manager program to help protect passwords, with a three- or four-word passphrase that is easy for the user to remember, but hard to crack.

In the penetration tests that Wood carries out, he said weak passwords are the most common vulnerability.  “We had one very large customer where a system had a six-character lowercase password. They didn’t dare change it, because it had been there for so long they didn’t know which services used it and what the impact would be of changing it,” he said. Another common source of vulnerability is service accounts, he added, wherein for example, the password for a back-up service will be ‘backup’.

Read more on Identity and access management products