Education Data Breaches: Pupil Records, Exam Data and What Happens When Schools Are Breached
Education institutions hold some of the most sensitive personal data in UK society — pupil records, safeguarding files, special educational needs assessments, and exam data. When this data is breached, the consequences extend far beyond regulatory fines. In 2020, Pearson — the world's largest education company — was fined by the US Securities and Exchange Commission for a 2018 breach that exposed data from thousands of UK school students using Pearson's AIMSweb assessment platform, and for misleading investors about the incident. In 2020, Hackney Council's ransomware attack affected systems holding pupil records for schools across the borough, triggering ICO scrutiny and months of remediation.
Pearson fined by SEC in 2021 for a breach affecting UK school student data — and for misleading investors. Hackney Council ransomware 2020 affected pupil records across borough schools.
Types of Data Breaches in Education
Education data breaches fall into several categories, each with different causes and consequences:
- Ransomware: attackers encrypt systems and often exfiltrate data before encryption — Newcastle University, Harris Federation
- Supply chain breaches: EdTech vendors are breached, exposing data shared by schools — Pearson, MOVEit-affected universities
- Accidental disclosure: staff send personal data to wrong recipients, share files insecurely, or misconfigure cloud storage
- Unauthorised access: former staff retaining access, weak passwords, or compromised accounts
- Physical breaches: lost or stolen devices containing unencrypted pupil data
- Third-party processor breaches: local authority or MAT systems holding school data are compromised
The Pearson Breach and Supply Chain Risk
The Pearson case is instructive for UK schools in two ways. First, it demonstrates that EdTech supply chain risk is real — schools sharing pupil data with assessment platforms, learning management systems, and administrative software are exposed to breaches at the vendor level, even when the school's own systems are secure. Second, the SEC enforcement action (the only penalty that resulted) highlights the reputational and financial consequences that can follow when organisations downplay breach severity. Under UK GDPR, schools must have Data Processing Agreements with all EdTech vendors processing pupil data, and must conduct due diligence on those vendors' security practices before sharing data.
The MOVEit Vulnerability and Universities
The MOVEit file transfer vulnerability exploited in 2023 — by the Clop ransomware group — affected universities and education institutions globally that used the platform for managed file transfer. Institutions including the University of Rochester, Colorado State University, and others had sensitive data exfiltrated without needing to be directly attacked themselves — the vulnerability was in a software platform they used. UK universities using MOVEit were among those affected. This illustrates that software supply chain risk is as significant as direct attack risk for education institutions.
ICO Enforcement After Education Data Breaches
The ICO has taken enforcement action against multiple UK schools and education-related organisations for data protection failures. Common issues include: failure to report breaches within 72 hours; inadequate security measures (no MFA, unpatched systems); failure to have Data Processing Agreements with vendors; unlawful use of CCTV or biometric data; and sending personal data to incorrect recipients. Following a serious breach, the ICO will assess not just the breach itself but whether the organisation had appropriate preventive measures in place.
Frequently Asked Questions
What data must schools report to the ICO after a breach?
Schools must report a personal data breach to the ICO within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. The ICO report must describe the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach. Not all breaches require ICO notification — minor incidents with no risk to individuals do not.
Are schools liable for data breaches at their EdTech vendors?
Schools remain the data controller for pupil data they share with EdTech vendors (processors). If a vendor suffers a breach involving school pupil data and the school did not have adequate contractual protections (a Data Processing Agreement) or failed to conduct appropriate due diligence, the school may face ICO scrutiny. Schools should ensure all EdTech contracts include appropriate DPA terms and that vendors can evidence their security practices.
What is exam data and why is it sensitive?
Exam data includes predicted grades, actual grades, exam scripts, special arrangement records (for pupils with disabilities or SEN), and access arrangement documentation. This data is sensitive because it can reveal personal information about pupils' abilities, disabilities, and learning needs. Exam board data processing is governed by strict contractual terms, and unauthorised disclosure of exam data — particularly results before publication — can have serious consequences for pupils and institutions.
Get a data protection review for your institution
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.