Schools could be targets for data hacks

Cape Town – Schools have been identified as soft targets for hacking, data breaches and even identity theft from online cyber attacks.

Overall, the Western Cape government spends R24 million on its IT security but schools which have an archive of parents’ banking details, ID numbers, home and work addresses remain vulnerable to hacking.

The Covid-19 pandemic forced schools to accelerate online learning and teaching but some experts have warned online security might have been over looked.

The d6 Group, an online school management software company, has raised the issues that not all schools are harnessing smart technology – which is leading to increasing concerns about data security.

The group’s chief executive Willem Kitshoff said: “There are so many advantages to the adoption of online strategies and the increasing use of digital platforms to improve a wide range of relationships within school communities. But school communities comprise real people, with real rights – who also need to be protected online.”

Ross Saunders, who advises d6 as a specialist in data privacy and cyber security, said, “Information that is insecurely stored carries a tremendous risk of being leaked out. Once information is leaked, it’s like toothpaste from a tube. Risks to the person who the data belongs to would likely be identity theft, fraudulent transactions, and extortion.”

The Protection of Personal Information Act 4 of 2013 (POPIA) came into effect on July 1 and Saunders said this is an important piece of legislation.

“Risks to the school would most certainly be reputational damage, but under POPIA there would likely be an inclusion of fines, civil liability (being sued) or both. Schools can also be held to ransom for the information they hold, should a ransomware attack occur due to insecure practices,” said Saunders.

Chief operating officer of In2 IT Technologies Andrew Hoseck said the POPIA alone is no guarantee of online data security.

“If the schools are implementing the principles behind POPIA in terms of protecting information and only gathering information that they absolutely require then yes there would be a measure of protection but the act itself is not going to provide that protection,” he said.

Hoseck said that schools must do everything they can to protect the data they store.

“The burden of proof is put onto the organisation to prove that they actually protected the data and that they have taken measures… nobody can guarantee that it’s safe, but there is an onus on the schools to put what would be considered reasonable measures in place.”

He admits that schools IT systems might not be able to withstand a cyber attack: “Typically your school networks are not armed…they probably have basic firewalls but don’t have multiple levels of security in place, they probably don’t have intrusion systems in place so that they can know when they have a breach.”

The Western Cape Education Department (WCED) has confirmed that each school has it’s own IT security system and contracts in place with IT companies.

WCED director for communications Bronagh Hammond said: “The Department of the Premier, Centre for e-Innovation (CEI) have strengthened Western Cape government security protocols and have a clear strategy in place to combat cyber-attacks. The provincial centralised Education Management Information System (CEMIS) is audited annually by the Auditor General in terms of the security of the system as managed by DotP CEI. We cannot disclose publicly how personal information is stored in detail, as this would be a security risk.”

Hammond added: “Should the school be held to ransom for the information they hold, the standard test that will be used against the school or provincial education department is a negligence test.”

Weekend Argus