Privacy compliance is a nebulous area for non-government schools to manage. Advertising through websites and social media accounts is an excellent way of engaging with current and prospective staff, students, and parents. There is, however, a serious risk to providing information online, namely, data breaches.

To understand the impact of data breaches on a school, as well as the wider school community, we will discuss the case of Ashley Madison that came to the media's attention in August 2015.

The Ashley Madison hack

Ashley Madison is the notorious dating site that offers users the opportunity to engage in extra-marital affairs. The site's motto is: life is short, have an affair. The site, managed by Avid Life Media (ALM) operating out of Canada, has outraged religious groups, family oriented groups, and many ordinary people around the world as an affront to the institution of marriage.

The site promoted a secret and safe way of cheating, it even shielded account payment details so that suspicious spouses would not pick up on the website payment in their partner's bank statements. But the affair was short lived. In July 2015, the company discovered a breach of its system. Shortly after, ALM received an ultimatum email from hacker/s, The Impact Team, who threatened to publish private information about clients unless both the Ashley Madison and Established Men sites were shut down–Established Men is a dating site focused on pairing up older men with younger women.

AML refused to remove the web pages, and, on 18 August 2015 and 20 August 2015, the private information of 36 million accounts was leaked onto the web by The Impact Team.

Joint Investigation

The Privacy Commissioner of Canada, the Australian Privacy Commissioner, and Acting Australian Information Commissioner ordered a joint investigation into the data breach. The report coming out of this investigation was released a little over a year later, in late August 2016. We introduced the OAIC investigation in a previous privacy article here. 

Following the leak, there was widespread panic. Names were smeared, including church and public officials. Marriages were broken. Divorces ensued.

The details picked up by the hackers were extensive. Personal information such as postal codes, weight, height, date of birth and relationship interests were divulged. Passwords were leaked, the last four digits of credit cards and even the photographs and private communications of users could have been acquired by The Impact Team in the attack.

In the fallout, ALM went into damage control. The company took immediate steps to ramp up security, including temporarily shutting down its (VPN) remote access server the same day. ALM soon after engaged a cyber security consultant to investigate and respond to the privacy crisis and issued a press release confirming that the data breach had occurred. ALM responded to requests by OPC and OAIC to provide additional information about the breach on a voluntary basis. To strengthen its system further, it engaged Deloitte to assist with information security practises. While the information was already in the public domain, ALM attempted to wind back the repercussions by sending takedowns to all sites displaying data spread by The Impact Team.

In their investigation, the OAIC and OPC interviewed the CEO, COO, GC and other senior executives to understand the system and procedures in place. They also requested information from the cyber security consultant.

Many people listed by the hacker received extortion emails from opprobrious tech heads who sought to make a dollar by exploiting users' panic. The emails suggested that clients could have their data stripped from the web before it was seen by a partner or someone else in the community. The reality was that the information had been spread too wide and too fast. Like an unwound ball of wool, there was no way of winding it back up without giving away the tell-tale signs.

Recommendations

The joint investigation has provided ALM with a set of recommendations that will be overseen in the next 12 months. The organisation, as defined under the Privacy Act, was required to take 'reasonable steps' to protect personal information. In light of the above events, the OAIC and OPC found it did not take reasonable steps considering the nature of the information stored on their servers. Further, under the Personal Information Protection and Electronic Documents Act (a Canadian Act commonly known as PIPEDA) principle 4.7, security should have been high due to the personal information that was collected and the type of service being provided. It was the view of the investigators, that privacy training was inadequate. Training had been provided to c-level executives, senior IT staff and new employees but not to 75% of employees. Finally, the company, in a glaring oversight, did not have a documented risk management framework.

OAIC and OPC recommended that the following schedule be met:

• December 2016: ALM must have a comprehensive review of the protections it has in place to protect personal details;
• May 2017: an information security framework should be created and implemented. Steps should be taken to ensure staff are aware of all new security procedures;
• July 2017 - a third party must provide a review report; and
• February 2017: ALM must review its terms and conditions and privacy policy and other information.

School sites hacked

But data breaches are not just reserved for websites promoting indecorous services. Earlier this year a Four Corners report revealed that thousands of Australian websites had been hacked, including school sites. The data syphoned out of these sites was exported to the dark web–a minefield for exploitation and extortion. This demonstrated, if nothing else, that schools are not immune to the purview of hackers.

International virus-ware and software producer, Kaspersky, reported that more than 70,000 computers from around the world were targeted, with their usernames and passwords now up for sale.

Former manager at the Australian Cyber Security Centre Tim Wellsmore was not surprised by the attack on the servers, saying, "Those servers would be computers everywhere across Australia, including in people's homes that are just sitting there already compromised waiting to be used for an attack."

Protecting your personal information online  

Any data stored on your school's server has the potential of being hacked. The key message to take back to the classroom is twofold: beware of housing very sensitive information online, and, put a privacy strategy in place to prevent attacks. Training staff on password usage and clarifying the type of information that is to be kept online will enhance your security platform. Undertaking a risk analysis is another tool available to you. Ultimately, nothing on the web is iron clad and the reputational damage from a breach can be widespread.

Schools should also be aware of what to do in the event that a breach of privacy does occur. The Office of the Australian Information Commissioner has published a useful guide entitled ‘Guide to developing a data breach response plan’ which was developed to assist entities who have obligations under the Privacy Act 1988 (Cth) to respond effectively to data breaches. The guide provides general guidance on key steps and factors to consider when responding to a data breach, including notification of breaches.

For more information about how to comply with your school’s privacy obligations download the CompliSpace Whitepaper or view the CompliSpace privacy for non-government schools webinar Privacy in Practice: One Year On. 

What is your online privacy policy?