Up to 20,000 more pupils’ data may have been stolen in a cyber-attack on the government outsourcer Capita.
Schools Week previously revealed how 30,000 pupil personal data records were thought to have been taken when hackers targeted the company last year.
Ninety organisations had reported breaches of personal data held by Capita, which runs primary school SATs for the Standards and Testing Agency (STA).
However, in a freedom of information response, the Department for Education has revealed that after a full investigation, 50,780 pupil records were “affected”.
This included names, dates of birth, unique pupil number, type of test taken and the schools’ DfE number.
This new figure “may have included duplicates”, the department said, so it was “unable to accurately determine the unique number of pupils that had their personal data compromised”.
The government refused to release the full investigation report as it contained “a list of pupils whose data was compromised in the cyber-attack and the details of the specific personal data stolen for each individual pupil”.
The department said in its FOI response that Capita had “undertaken ongoing monitoring and there is no evidence to date that the data stolen … has been circulated more widely or made available online.”
But when asked for comment this week, it refused to confirm if the pupils or schools affected had been informed. Last year, it said because there was “not a high risk posed, we are currently unlikely to inform the STA data subjects”.
In its annual report, the STA “assessed the privacy risk to be low, as the exfiltrated information was classed as basic personal identifiers and therefore likely to be of little value to those accessing the data”.
The Information Commissioners’ Office is continuing its investigation.
The DfE and Capita declined to comment.
