Multi Academy Trust Issued with ICO Reprimand Following Data Breach


In today’s digital age, data protection is paramount, and organisations who target or collect data within the EU are bound by the General Data Protection Regulation (GDPR) to safeguard personal data. The repercussions of failing to adhere to GDPR standards can be severe, as we recently witnessed with the case of Finham Park Multi Academy Trust.

The Information Commissioner’s Office (ICO) reprimanded the trust, highlighting the critical importance of robust data security measures.

What Was Breached?

The trust reported a cyber-security breach to the ICO following unauthorised access to its systems by a third party. It was identified that the third party used compromised log-in credentials to gain access to and encrypt its IT systems. It is reported that 1,843 UK data subjects were affected by the incident.

Prior to the incident, the MAT reported three similar incidents to the ICO, following which the ICO issued guidance, outlining the importance of implementing appropriate password policies and account management procedures. As part of its investigation into the trusts most recent security breach, the ICO identified that it had failed to follow the guidance previously issued and therefore had not implemented appropriate technical and organisational measures to secure its systems. This was deemed an aggravating factor in the decision to reprimand the trust.

What is an ICO Reprimand?

A reprimand is a written letter stating that the ICO believes an organisation has not complied with the GDPR. It is often accompanied by a list of reasons for the decision and recommended actions that an organisation should take. Sometimes a reprimand asks an organisation to report back to the ICO on steps they have taken to correct any non-compliance.

Reprimands have been part of the GDPR since its inception, tucked away at Article 58(2)(b). They are typically issued following an ICO investigation and where an infringement is not serious enough to warrant a penalty or enforcement notice. Reprimands have been issued in a range of circumstances and most have been for smaller data breaches or failing to comply with data subject rights, like data subject access requests.

Reprimands are used frequently against public sector entities instead of penalties, where the Commissioner does not believe that penalties against the public purse are useful.

GDPR Regulations Breached

Finham Park found itself in hot water with the ICO due to shortcomings in their data security practices. The breach in question centered around two key GDPR articles:

  • Article 5(1)(f): Ensuring the confidentiality and integrity of systems and services.
  • Article 32(1): Implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The trust failed to meet these requirements for several reasons:

1. Inadequate Technical Measures: One of the primary issues was the lack of appropriate technical measures to safeguard the confidentiality and integrity of their systems. This left their digital infrastructure vulnerable to cyber-attacks and data breaches.

2. Poor Password Management: Finham Park Multi Academy Trust’s password policies were inadequate. They did not have account lockout mechanisms in place, meaning that there was no limit to the number of times a user could attempt to log in, making it easier for malicious actors to gain unauthorised access. Breached credentials

3. Reversible Password Encryption: Another critical error was enabling reversible password encryption. This meant that passwords were stored in a format that could be easily deciphered, exposing sensitive user data.

4. Lack of Multi-Factor Authentication: Multi-factor authentication (MFA) is an additional layer of security that requires users to provide multiple forms of identification before gaining access to their accounts. Unfortunately, Finham Park Multi Academy Trust did not implement MFA, leaving their systems vulnerable to password-based attacks.

5. Insufficient User Training: Users play a crucial role in maintaining data security. In this case, employees had not received adequate training on the importance of strong, non-reusable passwords. This lack of awareness left the organization exposed to social engineering attacks.

The Importance of Cyber Awareness Training, Robust Password Policies, and MFA

The case of Finham Park Multi Academy Trust serves as a stark reminder of the critical importance of robust data security practices:

Staff Cyber Awareness Training: Employees must be educated about the potential threats they may encounter and the role they play in protecting sensitive data. Regular training sessions can help staff recognise phishing attempts and understand the significance of implementing and adhering to security policies.

Robust Password Policies: Implementing strong password policies is essential. This includes enforcing password complexity, regular password changes, and account lockout after multiple failed login attempts. Passwords should be treated as sensitive information and never stored in a reversible format.

Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide multiple forms of identification. Even if an attacker obtains a password, they would still need another authentication factor to gain access. Implementing MFA can significantly enhance an organization’s security posture.

How Did the Trust React?

“The commissioner welcomes the remedial steps taken by Finham Park in light of this incident. They restored their systems from backups, implemented MFA across the trust and signed off a digital transformation project plan which included credential monitoring” – GDPR Reprimand Report.


The ICO’s reprimand of Finham Park Multi Academy Trust for GDPR breaches underscores the severe consequences of neglecting data protection regulations. To avoid similar pitfalls, organisations must prioritise staff cyber awareness training, enforce robust password policies, credential monitoring, and implement multi-factor authentication.

These measures are not just regulatory requirements; they are essential safeguards against the ever-evolving landscape of cyber threats. In today’s digital world, the security of personal data is non-negotiable, and organisations must take proactive steps to protect it.


ICO Logo