Breach details
| What | Loss of personal information. |
| How much | An unknown number of records. |
| When | 28/29 June 2012 |
| Why | The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website. |
BW Comments
| Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test. |
Regulatory action
| Regulator | ICO | Action | None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.” |
BW Observations
| Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data. |
Links
| Original report from The Register |