Incorrect school sites appearing from a school direct login page

Arbor has concluded its investigation into the incident on the 27th March and confirmed that the only information incorrectly shared between schools was the school name and school logo, which is not personally identifiable information so no further action needs to be taken. We apologise for any undue alarm this has caused.

A separate issue for a small handful of schools meant there was the potential for information to be shared between authorised users within the school. These schools have been contacted directly, and as data processors we reported it to the ICO.

Due to a defect in an infrastructure change some non-personally identifiable information such as school name and logo was incorrectly shown.

This error, while alarming, was superficial and did not mean that schools had access to another school’s data.

We have now completed our detailed analysis of the incident and can confirm no personally identifiable information (PII) was exposed to other users so no further action needs to be taken.

There was a separate misconfiguration caused by the same code release that impacted a small number of schools and involved some personally identifiable information being seen by system users in the same school.

The impacted schools have been contacted proactively by email with details of the issue and what steps if any they should now take.
The incident took place on 27th March 2024 between 10:56 GMT and 13:43 GMT and as Data Processors we reported the issue to the ICO on 28th March 2024.

Some users when logging into their school site through a direct link to the site are encountering other school names appearing on the login page.

We have rectified the issue and users should now see their own school showing as expected when logging in through a direct link.
March 27, 2024 · 12:39