Capita strikes again: Bug in UK-wide school info management system risks huge data breach
Techies told to patch: ICO probes error that let pupils link to the wrong parents
Updated Capita has admitted a bug in an information management system used by 21,000 UK schools could have incorrectly linked contact details to the wrong pupils – an incident with huge implications for pupils' data protection.
The error, which has been pinned on a December 2017 upgrade to the Schools Information Management System, could have resulted in schools sending out information about pupils to the wrong address.
The bug is understood to affect all users nationally, regardless of whether they are locally or centrally hosted...
Capita has apologised to schools for the bug and has issued a patch that will prevent further records from being corrupted – but this will be cold comfort for those who used the system to send out correspondence ahead of the end of year.
According to an email sent out to schools in one UK county, and seen by The Register, the fault was in the SIMS software matching routine for new pupils. It is understood to affect all users nationally, regardless of whether they are locally or centrally hosted.
“The consequence of the corruption is that contact information for the incoming pupil for example, address, telephone number and email address, may have become associated with other pupil’s records, or the new pupil could themselves be linked to the wrong contact details,” the email stated.
“The problem could have impacted pre-admissions, pupils on roll and the records of school leavers.”
The problem, which affects common transfer files (CTF) – which are used to transfer children’s information between primary and secondary schools for moving pupils and other ad-hoc transfers – is explained in more detail in a note on Capita’s website.
“If you have imported a CTF for pupils joining your school, that included parents or other contacts with a name that matched exactly to a contact record already in your database, the applicant may have been linked incorrectly to this person and some data may have changed.”
According to a user on an education technology forum, the software uses a matching routine to check if any of the pupils that are being imported have contacts that already exist in SIMS. If this is the case, that pupil is linked to that contact, with the address being updated if necessary.
“Unfortunately, several aspects of the matching routine [were] accidentally removed so that the matching routine only checks for matching names and gender. The net result is that existing contacts can be given the wrong address and the imported pupil in the admission group can be linked to the wrong contacts,” the user wrote.
“Also where no address for the contact has been included in the [common transfer file], the link from the imported pupil will be to the first existing contact with the same name and gender, but in this case the address for that contact is not changed.”
Capita said that there was a patch for the bug, and that upgrading to the Summer 2018 version would prevent any further corruption.
However, the outsourcer appeared to have been immediately unable to confirm which records were affected. In the email, the local council said that it was waiting for Capita to offer “more clarity” and that until then “we cannot identify or fix any records that have already been corrupted”.
Do not use the SIMS DB
In the meantime, schools are told that, in order to avoid a potential data breach, it is “vital” not to use the SIMS database to send out any communications without thorough checks that the contact details are correct for each pupil.
There are also questions of how long the firm has known about the problem and when schools were informed – which is likely more frustrating as many schools will have recently carried out transfers of pupil information for the coming September new school year.
Some forum users reported having known about the issue up to six weeks ago, while others said that they had found out just this week. Another said that their local authority wasn’t aware of the issue until they raised it yesterday.
On its website, Capita’s Education Support Services appeared to downplay the issue, saying that “only a small number of cases have been reported to our help desk”, but one person reported nearly 100 pupils with the wrong details at their school.
Meanwhile, Capita ESS noted that it had been asked “several times” if it had reported the issue to the Information Commissioner’s Office, but said that as a data processor, this was not its responsibility. “As the data controller it is the customer's responsibility to report any data breaches to the ICO,” it added.
Nonetheless, the ICO told The Register that it was aware of the incident and was making enquiries.
Under new data protection laws, a notifiable breach must be reported to the ICO within 72 hours of the organisation becoming aware of it. The law requires processors to inform a controller of a breach without undue delay, and the requirements on breach reporting should be set out in the contract. Previously, there were no mandatory requirements for breach reporting.
Whether this incident will be considered under the new data protection laws – which came into force on 25 May and have the potential of higher fines – will depend on the details of the situation.
“We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts,” the ICO spokesperson said.
Jen Persson, director of rights group Defend Digital Me, slammed the firm's attitude, saying: "Capita profits from the data management of more than 21,000 schools, and must be accountable for its mistakes."
She added that there should be more transparency on schools' records. "Parents and children must be shown their own information on a regular audit basis, and each time before they are shared with third parties and sent to any national systems to check their accuracy, and correct mistakes," she said.
The Register has asked Capita for comment on the situation, along with a timeline setting out when the software bug was first identified, when schools were told and when the patch was first released – but we are still waiting for a response. ®
A Capita spokesperson said: “We have identified isolated instances where the contact details of new applicants to a school have merged with those of existing pupils. This has only happened on rare occasions where the first name and surname of the pupils’ listed contact are an exact match.
“We have taken immediate steps to fix the software to prevent this from happening again and have also issued guidance to schools on how to identify and rectify any issues. We apologise to schools and parents for any disruption this may cause.”
Sponsored: Becoming a Pragmatic Security Leader