Matthew BoyleA technical issue at the Inns of Court College of Advocacy (ICCA) led to a significant data breach, allowing students to access sensitive files containing personal information of nearly 800 current and potential students. This breach exposed email addresses, phone numbers, educational records, ID images, health information, and other private details. The college promptly reported the incident to the UK Information Commissioner’s Office (UK ICO) and took immediate action to secure the compromised files. The ICCA assured that no financial or log-in details were accessed and obtained written agreements from affected students to keep the information confidential. Despite the breach, the college determined that the incident did not pose a high risk to individuals’ rights and freedoms. However, in compliance with GDPR, they notified the ICO and those whose data was confirmed to have been viewed. This incident underscores the importance of stringent data security measures and adherence to GDPR requirements to protect personal information and maintain trust in educational institutions.
UK ICO: Student Data Exposure Due to Technical Issue
After what the college has referred to as a “technical issue,” students at an elite college for barristers were allowed to access files containing data on hundreds of other existing and potential students.
The Information Commissioner’s Office ( ICO ) has been informed of a breach that allowed sensitive college files to be accessible to students on the college website by the Inns of Court College of Advocacy ( ICCA ), which provides training to aspiring barristers.
Some college students were able to access files containing nearly 800 students ‘ personal and sensitive information, including more than 440 specific email addresses.
Students at the college had access to personal information due to the breach, including email addresses and phone numbers as well as educational information like exam results and past institutions they had attended.
Additionally, the students had access to ID images, student ID numbers, and private information like health records, visa status, or whether or not they were expecting or already had children.
The ICCA provides a year-long training program for aspiring barristers that combines online learning, in-person instruction, and self-study. The first half of the college’s two-part course is “delivered fully online,” according to its website.
Andy Russell, the director of operations for the ICCA, told Computer Weekly that “certain students” could access files that should only be accessible to staff due to an undefined “technical issue.” According to him, the college requested written agreements promising never to divulge the information to anyone else who had access to the files.
ICCA Security Incident: Personal Information Leak and GDPR Compliance Breach
How many students have been able to access the files so far was never confirmed by the college.
According to Russell,” The ICCA experienced a data breach in August 2023.” Some registered students who submitted search requests in their [email , protected ] email accounts were returned with results that included some files from the ICCA’s staff-only SharePoint site due to a complex issue.
” Action was taken right away to secure the damaged files as soon as the issue was known,” he continued.
Additionally, the Information Commissioner’s Office has stated that it was made aware of the breach and is thinking about what to do next.
The Council of the Inns of Court has informed us of an incident, and we are evaluating the information provided, according to an ICO spokesperson.
According to Russell, the data breach was contained within the college and did never put the rights and freedoms of the impacted individuals at “high risk.”
He stated that” The ICCA thoroughly investigated the breach and confirmed that no financial information or log-on/password information was accessed.”
Transparency and GDPR Compliance Efforts
Although some files were accessed by a very modest number of ICCA students, it has been determined that no specific data was shared outside of our institution, according to Russell. We got in touch with the students who did access the files and got written guarantees from them that any information they might have seen was private and would never be.
The ICCA” completed a detailed risk assessment once the full facts of the breach were established and after consulting with physical IT and GDPR experts,” he said.
Russell continued by saying that after conducting the necessary tests, it was determined that the situation did not pose a significant threat to the “rights and freedoms” of those affected.
However, he added,” In the interest of transparency and candor, the ICCA actively informed all those whose data had been viewed of the breach’s specifics.”
GDPR Compliance Concerns: Ambiguity Surrounding Notification of Student Data Exposure
According to Computer Weekly, the college’s claim that the data breach did certainly present a “high risk” meant that it was not required to notify all students whose data had been compromised.
The college was required to contact the ICO under the General Data Protection Regulation ( GDPR ) rather than all individuals whose data may have been viewed.
According to him,” The college has stated that it has yet notified those whose data it is informed were “viewed.”
However, since the college has only stated that the breach’s nature was a “technical issue,” it is impossible to tell if this means that all of the people whose data had been accessed have been reached.
