Matthew Boyle
After what the college has referred to as a “technical issue,” students at an elite college for barristers were allowed to access files containing data on hundreds of other existing and potential students.
The Information Commissioner’s Office ( ICO ) has been informed of a breach that allowed sensitive college files to be accessible to students on the college website by the Inns of Court College of Advocacy ( ICCA ), which provides training to aspiring barristers.
Some college students were able to access files containing nearly 800 students ‘ personal and sensitive information, including more than 440 specific email addresses.
Students at the college had access to personal information due to the breach, including email addresses and phone numbers as well as educational information like exam results and past institutions they had attended.
Additionally, the students had access to ID images, student ID numbers, and private information like health records, visa status, or whether or not they were expecting or already had children.
The ICCA provides a year-long training program for aspiring barristers that combines online learning, in-person instruction, and self-study. The first half of the college’s two-part course is “delivered fully online,” according to its website.
Andy Russell, the director of operations for the ICCA, told Computer Weekly that “certain students” could access files that should only be accessible to staff due to an undefined “technical issue.” According to him, the college requested written agreements promising never to divulge the information to anyone else who had access to the files.
a data breach
How many students have been able to access the files so far was never confirmed by the college.
According to Russell,” The ICCA experienced a data breach in August 2023.” Some registered students who submitted search requests in their [email , protected ] email accounts were returned with results that included some files from the ICCA’s staff-only SharePoint site due to a complex issue.
” Action was taken right away to secure the damaged files as soon as the issue was known,” he continued.
Additionally, the Information Commissioner’s Office has stated that it was made aware of the breach and is thinking about what to do next.
The Council of the Inns of Court has informed us of an incident, and we are evaluating the information provided, according to an ICO spokesperson.
According to Russell, the data breach was contained within the college and did never put the rights and freedoms of the impacted individuals at “high risk.”
He stated that” The ICCA thoroughly investigated the breach and confirmed that no financial information or log-on/password information was accessed.”
written commitments
Although some files were accessed by a very modest number of ICCA students, it has been determined that no specific data was shared outside of our institution, according to Russell. We got in touch with the students who did access the files and got written guarantees from them that any information they might have seen was private and would never be.
The ICCA” completed a detailed risk assessment once the full facts of the breach were established and after consulting with physical IT and GDPR experts,” he said.
Russell continued by saying that after conducting the necessary tests, it was determined that the situation did not pose a significant threat to the “rights and freedoms” of those affected.
However, he added,” In the interest of transparency and candor, the ICCA actively informed all those whose data had been viewed of the breach’s specifics.”
GDPR requirements
According to Computer Weekly, the college’s claim that the data breach did certainly present a “high risk” meant that it was not required to notify all students whose data had been compromised.
The college was required to contact the ICO under the General Data Protection Regulation ( GDPR ) rather than all individuals whose data may have been viewed.
According to him,” The college has stated that it has yet notified those whose data it is informed were “viewed.”
However, since the college has only stated that the breach’s nature was a “technical issue,” it is impossible to tell if this means that all of the people whose data had been accessed have been reached.
