1. Website Planet
  2. >
  3. News
  4. >
  5. Thousands of Children Exposed In UK Student Tracking Software Data Breach
Thousands of Children Exposed In UK Student Tracking Software Data Breach

Thousands of Children Exposed In UK Student Tracking Software Data Breach

Jeremiah Fowler March 27, 2024
March 27, 2024
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 800,000 documents belonging to a UK-based school tracking software provider.

The publicly exposed database contained 864,603 records, including an estimated 214,000 unique images of children. The database also contained 150 .xml and .xls files that displayed the first and last names of students, the subjects they took, their achievements, and any potential learning disabilities they might have. The records date from 2017 to 2023. Documents in the database (as well as the database’s name) indicate the data belonged to a tracking software called OTrack (also known as Optimum Pupil or Sonar Tracker). Juniper Education — the developer of the software — claims that OTrack is used by more than 7,000 primary and secondary schools in the UK. According to their website, Juniper Education provides pupil performance tracking for school financial management, teacher training, education HR support, and school visits planning.

I immediately sent a responsible disclosure notice and public access was restricted shortly after. It is not known how long the data was exposed or who else may have gained access to the database. Only an internal forensic audit could identify unauthorized access or malicious activity, if any. I received a reply from Juniper Education’s data protection officer thanking me for the notification. They indicated that they would be investigating the incident, but did not provide any additional information or updates after public access to the database was restricted and the data was secured.

The exposed educational data of children is a serious potential risk and raises numerous privacy and security concerns. Children are particularly vulnerable because they may not be aware of the potential identity risks involved, and any misuse of their personal data can go undetected for extended periods of time. Furthermore, educational data that reveals information about a child’s learning disabilities, special needs, or behavioral issues is not intended to be public. If exposed, it could potentially result in stigmatization or discrimination against the child in the future. Academic records or transcripts that contain negative information could potentially affect their future educational or employment opportunities. The UPN (unique pupil number) is a unique identification number assigned to each student in the educational system of the United Kingdom. This number is used to uniquely identify students across all schools and educational information systems, including tracking of the student’s progress throughout their education. The exposed UPN could hypothetically be cross referenced with other past or future data breaches to identify additional personal information. I am not saying that children or the schools who use Optimum Pupil tracking software or Juniper Education’s services are at risk. I am only indicating the importance of safeguarding the personal information of children and identifying the real-world hypothetical risks if children’s data are mishandled or fall into the wrong hands.

Educational institutions are often targeted by cyber criminals due to the personal information they collect and store. Unfortunately, schools usually don’t have large budgets for cyber security and data protection, which could make them a particularly attractive target for cyber criminals. A 2022 report of cyber security in UK schools indicated that out of 174 schools surveyed, 62% have never implemented any training or guidance on cyber security. Furthermore, 48% of the schools in the study have experienced attempts of ransomware attacks, and 17% reported being the victim of some other form of cyber attack. The most concerning statistic was that 31% of the schools did not have any formal IT security policy. The lack of funding, training, and uniform cyber standards is likely a significant factor leading to many schools using third-party services and applications to manage their data. However, as highlighted by this data incident, outsourcing to companies specializing in content management does not invariably ensure complete data protection.

What Can Schools located in the UK Do?

Protecting data from cyber attacks and implementing data protection measures is crucial for educational institutions. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and provides strict guidelines for data protection and reporting data incidents, but schools must do more to secure the sensitive information they store and maintain. I highly recommend schools:
  • Train staff on data protection policies and procedures, highlighting the importance of cybersecurity and safeguarding data.
  • Establish a permissions structure to access data based on staff roles or an as-needed basis. Access to sensitive information should be limited to authorized personnel only.
  • Use firewall protection to monitor and control incoming and outgoing network traffic. This can help restrict any unauthorized access.
  • Backup vital records and store them separately from the primary network. With a proper backup plan, if the network experiences a cyber attack school operations can easily be restored with minimal disruptions.
  • Encrypt sensitive records to protect data from unauthorized access. When sensitive records are encrypted, even if data is exposed, the contents of the documents will not be accessible to malicious actors.
Taking these basic steps can help schools secure their data and the personal information of their students.

I imply no wrongdoing by OTrack, Juniper Education, or the educational institutions, nor do I claim that any children or students were ever at risk. I publish my findings for educational purposes and to raise awareness of real-world cyber security threats and the importance of data protection. It is not known how long the data was exposed or if anyone else gained access to the records. As an ethical researcher, I never download the data I find and take a limited number of screenshots during a manual review to validate and responsibly report my findings. It is unclear if schools, parents, or the Information Commissioner’s Office have been notified of the incident.

Rate this Article
5.0 Voted by 3 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
View %s replies
View %s reply
More news
Show more
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!


Or review us on