Explicit comments on school app after apparent hack
- Published
Explicit comments about school children were sent to their parents in an apparent hack of a classroom app.
The incident at Billingham's Northfield school added to growing concerns over the Class Charts app, a popular pupil monitoring platform.
It followed an alleged data breach that saw some users wrongly granted access to details of children unconnected to their family or school.
Experts are urging schools to keep up with data security requirements and properly vet the platforms they use.
'Worrying'
On 29 January, some parents at Northfield School and Sports College became concerned when their children's accounts on the Class Charts app were updated in the early hours of the morning.
In screenshots seen by the BBC, pupils received an influx of virtual awards from a teacher's account, accompanied by comments too explicit to publish.
One parent, who did not want to be named, said the juvenile nature of the messages pointed towards children being behind the apparent hack.
She said: "It's worrying how simple it was for them to access information."
A spokesman for the school did not provide details regarding how the incident happened, but said it had been dealt with "swiftly and robustly", with no evidence to suggest personal data was compromised.
The incident at Northfield adds to concerns around potential vulnerabilities with Class Charts, a well-used app that allows teaching staff and parents to view a range of information about individual pupils.
Used widely by schools across the country, it can be adapted for each institution and allows staff, pupils and parents to communicate, manage behaviour and monitor attendance.
In January, the Information Commissioner's Office (ICO) was alerted to an alleged data breach on the platform.
The BBC understands that parents and staff raised concerns after logging into the system and finding they could see profiles relating to children and schools not connected to them.
A number of schools temporarily suspended access to the platform as a result of the incident.
Class Charts, which is operated by Tes Global Ltd, did not respond to the BBC's requests for further information.
However, in a message reportedly sent to some users, the company said immediate action was taken after "incorrect information" became viewable.
It said the company is now investigating the issue, which is believed to have happened in the wake of a product update and not thought to be malicious.
Dr Patrick Roach, general secretary of teaching union NASUWT, said the reasons for the alleged breach should be identified "urgently" and assurances provided to those whose data may have been compromised.
He said greater attention needs to be given to ensure data security is a priority in schools, adding: “Whilst we have seen the increasing use of technology in many facets of school life, it is vital that data security arrangements keep pace with these developments to keep pupils and their teachers safe.”
Dr Roach's comments echo those of cyber security experts who are urging schools to ensure they properly vet any third-party platforms they use.
Cyber security expert Dr James Nicholson, a lecturer at Northumbria University, said: "When using third party apps, you don't have control over their security and policy procedures.
"It raises the risk of something going wrong at their end that could affect the privacy and security of your school and its pupils."
Dr Nicholson said breaches of this nature could potentially be exploited by "bad actors" and urged schools to warn parents and staff to be on their guard against malicious communications, such as phishing emails.
The Department for Education said its guidance on cyber security and data protection is clear and intended to help schools improve "cyber resilience".
A spokesman added: "We are clear that where there is a risk to data subjects from a breach, they should be informed."
The Information Commissioner's Office confirmed it had received a data breach report in relation to Class Charts and is assessing the information provided.
Class Charts and owner company Tes did not respond to the BBC's request for comment.
However, following publication of this story, a Tes spokesman told the BBC the events at Northfield school arose as a result of a user accidentally sharing a password, adding that the incident did not represent a vulnerability on its platform and was dealt with by the school swiftly.
Analysis
By Joe Tidy, BBC cyber correspondent
The company appears to be saying there is no evidence of malicious activity or a data breach, but it would appear that a breach did indeed occur.
Any time people have access to data that they should not have had then it is considered to be a breach of security. No doubt the Information Commissioners’ Office will want to know more about the scale of any data breach and ask questions of how it happened.
Although potentially serious, it appears to be small in scale which is some comfort, but many will be asking whether or not schools should be trusting third party IT providers with personal data that might be misused or accidentally disclosed.
The fact is that skills and budgets mean schools are reliant on external firms to fulfil the increasingly complex needs of modern academia. The real question is – how well are the companies that schools use vetted and how can we ensure they are taking security seriously?
Follow BBC Tees on X (formerly Twitter), external, Facebook, external and Instagram, external. Send your story ideas to northeastandcumbria@bbc.co.uk.
Related topics
More stories from the BBC
- Published10 July 2023
- Published10 October 2023