Staff want compensation after summer cyber-attack – Schools Week
Dodd Partners
Schools warned incident could increase risk of phishing, fraud and identity theft for impacted employees
Schools warned incident could increase risk of phishing, fraud and identity theft for impacted employees
John Dickens
5 Sep 2025, 13:00
More from this author
Schools are facing compensation claims from distressed staff who have been told they face increased risk of identity theft after their personal details were “compromised” in a cyber-attack over the summer.
Investigations have been launched into whether criminals have seized the names and addresses, and phone, national insurance and passport numbers of staff.
They follow a “malicious” attack on the software supplier of Single Central Record (SCR). The company says it manages more than 350,000 staff records at 1,500 schools.
Schools are required by law to keep a single central record of data gathered in checks made on staff before they take up jobs. These can be maintained by external providers, such as SCR, also known as Online SCR.
SCR was informed of the breach by its software supplier Intradev on Sunday, August 17.
Steve Cheetham, Intradev’s managing director, said the company “identified unauthorised activity within our systems” on August 4 after a “significant IT security” incident.
Speaking on Thursday, he said a “criminal group has claimed to have taken some data from our systems. We are investigating this as a matter of priority and are coordinating with the relevant authorities.”
The breach has been reported to Action Fraud and the Information Commissioner’s Office (ICO).
SCR said it was unable to say how many schools have been hit, but it has provided schools with a list of affected staff.
“Breach management” documents sent to schools by SCR say the incident “may increase the risk of phishing, fraud attempts, and identity theft for affected individuals”.
Concerned teachers have taken to social media forum Reddit to ask for advice.
One said they were “feeling very overwhelmed and worried about the potential impact that this could have”.
They also claimed they were informed a month after the breach happened on July 31.
Under GDPR rules, organisations must report data breaches to the relevant authority within 72 hours, with those affected by high-risk incidents also informed “without undue delay”.
SCR said the breach was a “moderate to high risk due to the sensitivity of the data involved”, but no financial or criminal checks were compromised.
In a blog post, Lucas Atkin, the head of information law at Stone King, said if criminals seized data, “it is common [they] threaten to release information on the dark web for auction unless a ransom is paid”.
Schools have been told to inform staff to be “aware” of suspicious emails, phone calls, messages and phishing or impersonation attempts.
They should also avoid “clicking on unusual links” and have been advised to “consider identity protection measures” and to change passwords, including enabling two-factor authentication.
SCR also told schools to consider registering affected staff to CIFAS, a fraud prevention membership organisation, as a “risk mitigation action”. Membership costs £30.
Claire Archibald, legal director at Browne Jacobson, said staff were asking schools and trusts for compensation, and to pay for new passports.
But she warned employers “must be careful” as there was “no duty on schools and trusts to make such payments”.
They would also likely qualify as “novel, contentious or repercussive transactions”, which required government approval.
Atkin advised schools to put Online SCR “on notice for any expenses of losses which may be incurred or suffered due to the breach”.
Jay Ashcroft, a director of School SCR, another provider of record services, and a former trust data protection officer, said schools should “immediately undertake” a comprehensive Data Protection Impact Assessment (DPIA) review of their contracts with Online SCR.
But one expert, speaking anonymously, said they had spoken to trusts who had not completed a DPIA before entering into the contract – which could leave schools open to legal action.
Chelmer Valley High School, in Essex, was reprimanded last year by the ICO for failing to complete at DPIA before introducing facial recognition technology for cashless catering.
Atkin also claimed “most” of the schools Stone King was advising “were not aware that Intradev was involved in the provision of Online SCR’s services”.
Neither company responded to a request for comment about whether schools were told Intradev would have access to their personal data.
Ashcroft said the incident was a “stark reminder that schools can no longer afford to take a casual approach to data protection”.
Of the 67,000 data breaches reported to the ICO since 2019, 9,347 (14 per cent) were from the education and childcare sector. The only sector with more breaches was health (12,422).
SCR said its systems “remain incredibly secure” and it has since revoked access from Intradev.
Cheetham said the “swift response” of its IT team meant systems were “successfully secured and recovered… which meant we were able to minimise operational disruption”.
Harris Academy Morden
Harris Academy Orpington
South Gloucestershire and Stroud College
South Gloucestershire and Stroud College
Richmond and Hillcroft Adult & Community College
Solihull College and University Centre
For 15 years, Apps for Good has been championing digital education, empowering young people from all backgrounds – especially…
SWAdvertorial
UK schools are under financial duress – but digital procurement has the potential to save money, eliminate inefficiencies and…
SWAdvertorial
Regional Manager, Oonagh Morrison, from Wesleyan Financial Services, discusses how financial resilience can impact retirement planning.
SWAdvertorial
Across England, a quiet transformation is underway. In schools up and down the country, leaders are reshaping how we…
SWAdvertorial
Reform UK members tell party conference of need to crack down on ‘brainwashing’ teachers and stop schools ‘becoming indoctrination…
Lydia Chantler-Hicks
Reform leader also says he ‘will not stand for kids’ minds being poisoned in schools with a twisted interpretation…
Lydia Chantler-Hicks
Union calls for ‘comprehensive’ guidance as leaders warn of communications difficulties during incidents
Jack Dyson
Government confirms plans for ‘voluntary’ standards, but will make them mandatory ‘when parliamentary time allows’
Lydia Chantler-Hicks
Your email address will not be published. Required fields are marked *
Become a subscriber and stay up to date with the latest breaking news and industry discussion.
Published by
EducationScape Ltd
1 EdCity Walk, EdCity
London
W12 7TF
© EducationScape
Website by Creative Sponge
source
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
Schools warned incident could increase risk of phishing, fraud and identity theft for impacted employees
Schools warned incident could increase risk of phishing, fraud and identity theft for impacted employees
John Dickens
5 Sep 2025, 13:00
More from this author
Schools are facing compensation claims from distressed staff who have been told they face increased risk of identity theft after their personal details were “compromised” in a cyber-attack over the summer.
Investigations have been launched into whether criminals have seized the names and addresses, and phone, national insurance and passport numbers of staff.
They follow a “malicious” attack on the software supplier of Single Central Record (SCR). The company says it manages more than 350,000 staff records at 1,500 schools.
Schools are required by law to keep a single central record of data gathered in checks made on staff before they take up jobs. These can be maintained by external providers, such as SCR, also known as Online SCR.
SCR was informed of the breach by its software supplier Intradev on Sunday, August 17.
Steve Cheetham, Intradev’s managing director, said the company “identified unauthorised activity within our systems” on August 4 after a “significant IT security” incident.
Speaking on Thursday, he said a “criminal group has claimed to have taken some data from our systems. We are investigating this as a matter of priority and are coordinating with the relevant authorities.”
The breach has been reported to Action Fraud and the Information Commissioner’s Office (ICO).
SCR said it was unable to say how many schools have been hit, but it has provided schools with a list of affected staff.
“Breach management” documents sent to schools by SCR say the incident “may increase the risk of phishing, fraud attempts, and identity theft for affected individuals”.
Concerned teachers have taken to social media forum Reddit to ask for advice.
One said they were “feeling very overwhelmed and worried about the potential impact that this could have”.
They also claimed they were informed a month after the breach happened on July 31.
Under GDPR rules, organisations must report data breaches to the relevant authority within 72 hours, with those affected by high-risk incidents also informed “without undue delay”.
SCR said the breach was a “moderate to high risk due to the sensitivity of the data involved”, but no financial or criminal checks were compromised.
In a blog post, Lucas Atkin, the head of information law at Stone King, said if criminals seized data, “it is common [they] threaten to release information on the dark web for auction unless a ransom is paid”.
Schools have been told to inform staff to be “aware” of suspicious emails, phone calls, messages and phishing or impersonation attempts.
They should also avoid “clicking on unusual links” and have been advised to “consider identity protection measures” and to change passwords, including enabling two-factor authentication.
SCR also told schools to consider registering affected staff to CIFAS, a fraud prevention membership organisation, as a “risk mitigation action”. Membership costs £30.
Claire Archibald, legal director at Browne Jacobson, said staff were asking schools and trusts for compensation, and to pay for new passports.
But she warned employers “must be careful” as there was “no duty on schools and trusts to make such payments”.
They would also likely qualify as “novel, contentious or repercussive transactions”, which required government approval.
Atkin advised schools to put Online SCR “on notice for any expenses of losses which may be incurred or suffered due to the breach”.
Jay Ashcroft, a director of School SCR, another provider of record services, and a former trust data protection officer, said schools should “immediately undertake” a comprehensive Data Protection Impact Assessment (DPIA) review of their contracts with Online SCR.
But one expert, speaking anonymously, said they had spoken to trusts who had not completed a DPIA before entering into the contract – which could leave schools open to legal action.
Chelmer Valley High School, in Essex, was reprimanded last year by the ICO for failing to complete at DPIA before introducing facial recognition technology for cashless catering.
Atkin also claimed “most” of the schools Stone King was advising “were not aware that Intradev was involved in the provision of Online SCR’s services”.
Neither company responded to a request for comment about whether schools were told Intradev would have access to their personal data.
Ashcroft said the incident was a “stark reminder that schools can no longer afford to take a casual approach to data protection”.
Of the 67,000 data breaches reported to the ICO since 2019, 9,347 (14 per cent) were from the education and childcare sector. The only sector with more breaches was health (12,422).
SCR said its systems “remain incredibly secure” and it has since revoked access from Intradev.
Cheetham said the “swift response” of its IT team meant systems were “successfully secured and recovered… which meant we were able to minimise operational disruption”.
Harris Academy Morden
Harris Academy Orpington
South Gloucestershire and Stroud College
South Gloucestershire and Stroud College
Richmond and Hillcroft Adult & Community College
Solihull College and University Centre
For 15 years, Apps for Good has been championing digital education, empowering young people from all backgrounds – especially…
SWAdvertorial
UK schools are under financial duress – but digital procurement has the potential to save money, eliminate inefficiencies and…
SWAdvertorial
Regional Manager, Oonagh Morrison, from Wesleyan Financial Services, discusses how financial resilience can impact retirement planning.
SWAdvertorial
Across England, a quiet transformation is underway. In schools up and down the country, leaders are reshaping how we…
SWAdvertorial
Reform UK members tell party conference of need to crack down on ‘brainwashing’ teachers and stop schools ‘becoming indoctrination…
Lydia Chantler-Hicks
Reform leader also says he ‘will not stand for kids’ minds being poisoned in schools with a twisted interpretation…
Lydia Chantler-Hicks
Union calls for ‘comprehensive’ guidance as leaders warn of communications difficulties during incidents
Jack Dyson
Government confirms plans for ‘voluntary’ standards, but will make them mandatory ‘when parliamentary time allows’
Lydia Chantler-Hicks
Your email address will not be published. Required fields are marked *
Become a subscriber and stay up to date with the latest breaking news and industry discussion.
Published by
EducationScape Ltd
1 EdCity Walk, EdCity
London
W12 7TF
© EducationScape
Website by Creative Sponge
source
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
