Students at a leading college for barristers were able to access files containing information on hundreds of other current and prospective students, after what the college has described as a technical “issue”.
The Inns of Court College of Advocacy (ICCA), which offers training to future barristers, has informed the Information Commissioner’s Office of a breach that left sensitive college files accessible to students on the college’s web portal.
Computer Weekly understands that some students at the college were able to view files containing private and sensitive information on nearly 800 students, including more than 440 personal email addresses.
The breach left personal data including email addresses and phone numbers, as well as academic information including exam marks and previous institutions attended, accessible to students at the college.
The students were also able to access ID photos along with student ID numbers and sensitive data that included health records, visa status and whether they were pregnant or had children.
The ICCA offers a year-long training course for future barristers based on a mixture of e-learning, in-person teaching and self-study. According to the college’s website, the first half of its two-part course is “delivered entirely online”.
The ICCA’s director of operations, Andy Russell, told Computer Weekly that an unspecified “technical issue” meant “certain students” could access files that should be restricted to staff alone. He said the college sought written undertakings not to share the data further from those who had access to the files.
The college did not confirm how many students had been able access the files to date.
“The ICCA experienced a data breach in August 2023,” said Russell. “Due to a technical issue, certain registered students submitting search requests in their [email protected] email accounts were returned results that included some files from the ICCA’s staff-only SharePoint site.
“As soon as the issue became known, immediate action was taken to secure the files affected,” he added.
The Information Commissioner’s Office (ICO) has also confirmed it was notified of the breach and that it is considering its next steps.
An ICO spokesperson said: “The Council of the Inns of Court has made us aware of an incident and we are assessing the information provided.”
Russell said the data breach was contained within the college institution and that it did not pose a “high risk” to affected individuals’ “rights and freedoms”.
“The ICCA fully investigated the breach and verified that no financial data or log-on/password data was accessed,” he said.
Russell said: “It has been able to determine that no personal data was shared beyond our institution, although some files were accessed by a very small number of ICCA students. We contacted those students who did access files and have received written undertakings from them that any data they may have viewed has not been shared with other parties, and never will be in future.
“Once the full facts of the breach were established, and after consulting with external IT and GDPR experts, the ICCA completed a thorough risk assessment,” he said.
Russell added that applying the relevant tests, it was concluded that the matter did not represent a high risk to the “rights and freedoms” of those individuals affected.
“Nevertheless, and in the interests of transparency and candour, the ICCA proactively notified all those whose data had been viewed of the details of the breach,” he said.
Data protection lawyer Dai Davis told Computer Weekly the significance of the college claiming the data breach did not pose a “high risk” meant the college did not then have to notify all students whose data had been compromised.
Under GDPR, the college was under no obligation to contact all individuals whose data may have been viewed but was obliged to contact the ICO.
“The college has stated that it has nevertheless notified those whose data the college is aware were ‘viewed’,” he said.
“But since the college has stated merely that the nature of the breach was a ‘technical issue’, one cannot determine whether this means all the individuals whose data had been accessed have been contacted.”