TERMLY DATA BREACH NEWSLETTER
Welcome to the 6th Edition, Spring 2024, of the Data Breach Newsletter. This newsletter includes reminders and hints and tips relating to the prevention of data breaches. It also contains details summarising breaches, if any, that have occurred throughout the previous term at Chadwell. Even though you follow the strategies and procedures that we have in place and often ask for my advice, there is always the possibility of an unintentional breach of data. If you are uncertain if you have breached, please do not delay in reporting it to me as I need time to complete the relevant paperwork and obtain the advice from our Redbridge Governance Lead as to whether it needs to be reported to the ICO. If it does need reporting we only have 72 hours to do this from the date of the breach. Chadwell Primary School will be severely penalised if this rule is not adhered to.
If you need guidance or advice for any GDPR matters please come and see me or you can email me at: gdpr@chadwellprimaryschool.co.uk
DATA BREACH OCCURRENCES IN THE SPRING 2024 TERM
Reporting a breach can be used to guide training, awareness and policy. We are therefore all able to benefit from the learning curve caused by data breaches. If you are unsure if an incident qualifies as a breach, please contact me and we can discuss its impact.
I am extremely happy to report that no data breaches have occurred at Chadwell during the Spring term. Thank you everyone for your vigilance.
WHAT ARE PHISHING ATTACKS
Phishing is the most common form of spam. It’s typically delivered through an email, chat, web ad or website that has been designed to impersonate a real person or organisation. Phishing messages deliver a sense of urgency or fear to persuade the user to give up their data. A phishing message might come from an individual impersonating a bank, the government or a major corporation.
MOST COMMON TYPES OF PHISHING ATTACKS
Vishing
Vishing is similar to phishing, except it happens over the phone. The scammers ask for your personal information such as date of birth, address, financial information etc.
Baiting
Baiting, similar to phishing, involves offering something enticing in exchange for your login information or private data. The “bait” comes in different ways such as through a music or movie download, or a corporate branded flash drive labelled “Executive Salary Summary Q3” that is left out on a desk for someone to find. Once the bait is downloaded, malicious software is delivered, directly to the device giving the hacker access.
Quid Pro Quo
Quid pro quo involves a hacker requesting critical data or login credentials in exchange for a service. For example, you receive a phone call from the hacker who poses as a technology expert offering free IT assistance for personal information. If an offer sounds too good to be true, it probably is quid pro quo.
Spear Phishing
A Spear Phishing attack occurs when a phishing attempt is crafted to trick a specific person rather than a group of people. The attackers either already know some information about the target, or they aim to gather that information to advance their objectives. Once personal details are obtained, such as a birthday, the phishing attempt is tailored to incorporate that personal detail(s) in order to appear more legitimate. These attacks are typically more successful because they are more believable.
Whaling
Whaling is a sub-type of Spear Phishing and is typically even more targeted. The difference is that Whaling is targeted to specific individuals such as business executives, celebrities, and high-net-worth individuals. The account credentials of these high-value targets typically provide a gateway to more information and potentially money.
Smishing
Smishing is a type of phishing attack deployed via SMS message. This type of phishing attack gets more visibility because of the notification the individual receives and because more people are likely to read a text message than an email.
FOLLOW THESE FOUR TIPS TO HELP AVOID SPAM
Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, carefully review before deciding to act.
Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, but something seems off, do your research.
Beware of any download. If you don’t know the sender personally, and receive a file out of the blue, be weary of downloading.
Don’t let a link be in control of where you land. Find the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
SENDING EMAILS SAFELY
● When sending emails to an external person or organisation that contains personal information always send it by secure email via Egress or the Microsoft secure email facility. This will ensure that it has been sent to the correct person as they need to have an account and ID code to receive and open a message.
● Use Groupcall messaging when sending to multiple contacts so that email addresses are not revealed to all recipients.
● Do not include a person’s name in the subject bar as this draws attention to the fact that there may be personal information contained in the email. If it is relevant perhaps just include their initials.
● Always type the email address and not the recipient’s name as there may be a number of other people with the same name in your address book and your email could be sent to the wrong person.
● Do not copy and paste an email address. If it’s not copied and pasted properly it will be sent to the wrong recipient. Always type the email address.
● You should periodically review your emails and delete as appropriate so that it reduces the amount of data you store in your mailboxes.
SPOT CHECKS
To further prevent breaches from occurring, random spot checks have been carried out in all areas of the school to identify potential breaches made by staff members. The following observations were logged and need your attention please:
Unattended computer in 1 classroom was left unlocked.
It is important to lock your computer when you are leaving your desk to minimise the risks of your data being lost or accessed by someone without your knowledge.
EHCP folder was left out in 1 classroom.
These folders contain lots of personal sensitive information relating to a pupil Please ensure that personal or sensitive information is put in a drawer or cupboard, preferably locked.
Please be mindful of your classroom/work area for the above issues as spot checks will be carried out on a regular basis.
Please keep your desk as clear as possible.
GENERAL REMINDERS
SHARING INFORMATION
● Please only share information about pupils, staff and governors with the appropriate person and only on a need-to-know basis.
● Safeguarding information should only be shared with the Safeguarding Leads: Ritu Kalhan and Georgia Barnes.
● Ensure any information with personal or sensitive data e.g. name, address, DOB, ethnicity etc. is not sent home with children.
● Please ensure that personal data is not shared on classroom interactive smart boards and do not use your virtual keyboard to log in to your computer. There have been instances reported, not at Chadwell, where a pupil has been able to access a teacher’s computer as they have seen the password on the big screen. They may not remember what they have learnt in the lesson but will remember your password!!
GUIDELINES FOR WORKING REMOTELY
DO
● Shut your laptop down completely for transit to allow the encryption to work.
● Lock your laptop when you step away from it, even when it is only to make a cup of tea
● Have confidential phone conversations where you cannot be overheard.
● Keep a log (which stays in the office or on the network) of confidential papers that are removed from the office.
● Make sure your line manager knows you have removed confidential documents.
● Keep confidential papers separate from valuables during transit (and not in your laptop bag or handbag).
● Ensure confidential papers are stored securely, ideally in a locked cupboard or room
● Use your laptop for work purposes only and abide by the Acceptable Use Policy.
● Report any data protection or information security breaches immediately to Tracey Cahill (DPO) or email at gdpr@chadwellprimaryschool.co.uk
● Use encryption in the same way you would when you are working in the office with the built-in facility on Microsoft, which is the encryption platform that our school uses. This will also indicate to the recipient how you expect them to handle the information
DO NOT
● Print any documents (do not be tempted to send documents to your personal mail account so you can print them).
● Leave school paperwork and/or laptops in your car unattended