News: 1757499186

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Flu jab email mishap exposes hundreds of students' personal data

(2025/09/10)


A clumsy data breach has affected hundreds of children at a Birmingham secondary school.

The school said in an email to parents that students in Year 7, up to and including Year 11 (ages 11-16), had their names, gender, dates of birth, and their parents' contact details exposed via a spreadsheet mistakenly shared with other parents.

According to aggrieved parents, the school sent an email seeking consent for their children to receive flu jabs, but upon clicking a link in that message, the spreadsheet began downloading.

[1]

Tudor Grange told The Register that the data exposure was active between 0950 and 0959 local time on Monday, September 8, and was only visible to those with access to the school's Bromcom-powered intranet.

[2]

[3]

"The breach involved the accidental disclosure of a spreadsheet sent to our parent body that contained student names, DOB, gender, parent/carer contact telephone numbers of students in Years 7 to 11," it said in a statement.

"We have apologised to our school community for this incident and have been responding to any concerns throughout.

[4]

"Our first step was to contain the breach by contacting our management information system provider and ensuring that the [5]SMS message was removed and recalled.

"We also asked parents/carers who received this information to delete it as soon as possible.

"We have reported this to the Trust Data Protection Officer, who is investigating this breach, will liaise with the ICO as necessary and will put measures in place to ensure this doesn't happen again."

[6]

Tudor Grange currently teaches 1,198 students, including its sixth form, according to government statistics.

[7]Database tables of student, teacher info stolen from PowerSchool in cyberattack

[8]Knock-on effects of software dev break-in hit schools trust

[9]PowerSchool paid thieves to delete stolen student, teacher data. Looks like crooks lied

[10]Attackers swipe data of 500k+ people from Pennsylvania teachers union

The Register asked the school how the breach came to pass, and exactly how many children were affected, but it did not comment beyond its official statement.

One mother, who spoke to [11]Birmingham Live , expressed concern that her child was put at risk due to the breach, adding that the [12]spreadsheet contained "the whole of the school on it."

"I emailed the school about it and they said an error had been made," she said. "The link had been removed from Bromcom, which is an intranet system for the school. This put my child's safety at risk." ®

Get our [13]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMGgmCJGWw6Y8Cnqz50kwwAAAQ4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMGgmCJGWw6Y8Cnqz50kwwAAAQ4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMGgmCJGWw6Y8Cnqz50kwwAAAQ4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMGgmCJGWw6Y8Cnqz50kwwAAAQ4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2025/02/25/google_sms_qr/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMGgmCJGWw6Y8Cnqz50kwwAAAQ4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2025/01/09/powerschool_school_data/

[8] https://www.theregister.com/2025/09/05/uk_schools_intradev_breach/

[9] https://www.theregister.com/2025/05/08/powerschool_data_extortionist/

[10] https://www.theregister.com/2025/03/19/pennsylvania_nonprofit_cyberattack/

[11] https://www.birminghammail.co.uk/news/midlands-news/mum-fears-child-at-risk-32438547

[12] https://www.theregister.com/2024/10/22/excel_enters_its_40th_year/

[13] https://whitepapers.theregister.com/


wolfetone

From all my time living in Birmingham and going to school there etc, I never ever ever heard of anything good about Tudor Grange.

It's good to know nothing changes.

"[We] will put measures in place to ensure this doesn't happen again"

Dr Who

Once again, and as the MOD has demonstrated in spectacular and devastating fashion, not using a spreadsheet as a database of sensitive data would be a start.

Doctor Syntax

"put measures in place to ensure this doesn't happen again."

AKA closing the stable door after the horse has bolted. Obviously no measures were in place to ensure it didn't happen at all.

Effective measures are those put in place proactively.

...hold on...

YetAnotherACUser

"the school sent an email ...

... contacting our management information ... and ensuring that the SMS message was removed and recalled."

...so, was it an e-mail or an SMS? And how do you "recall" an SMS (or a sent e-mail) ? Do they know what is the difference between the two ?

This is obviously "damage control in panic mode", but is also indicative of the knowledge (or lack of) about the systems they are supposed to use.

Bromcom pr department

Giles C

Must be thrilled they have appeared in two separate stories on the El Reg on the same day.

Well they will until they read the articles….

Re: Bromcom pr department

KarMann

…at which point, they just cite the good ol' 'there is no such thing as bad publicity' trope, and request a pay rise.

1,200 students

Anonymous Coward

You would have to wonder whether their whole system might be more efficiently managed by a purely paper based system.

Send the the paper consent form home with the student or via snail mail. Personally with vaccinations make it opt out, consent by default. No one ever asked anyone when we got the polio vax and TB shots at school when I were a lad. ;)

Re: 1,200 students

Anonymous Coward

My son's school managed to have the following communication channels in order of roll out without retiring any previous channel: paper, e-mail, news page on website (no notification), message via online portal (no notification) Classroom (notification to the children but no notification to parents), other homework websites, Instagram stories (just no), and a dedicated instant messenger app.

I didn't download the app, however the school cottoned on to the fact their spam was annoying parents and causing them to uninstall it, so only then did they start moving important communications to the app to make people install it again.

If schools really do care about children's screen time and social media use, they can start leading by example. E-mail or paper if it's a legal requirement, everything else is surplus to requirements.

Re: 1,200 students

heyrick

Hmmm, and what are the permissions for the app? Run at startup, track your location, unfettered web access? Like that's not ripe for abuse.

Have you tried it on one of those fake-VPN firewall apps to see what it tries to connect to?

What is their recourse for people without smartphones (yes, it can happen, there are a few people at work younger than me that want nothing more than a solid Nokia that does calls and texts and runs for *days* on a single charge).

What, in fact, are the legal requirements giving that shoving a notification on an app is hardly going to pass as an appropriate level of communication for actually important matters?

Re: 1,200 students

blackcat

What happened to 'take this letter home to your parents'?

Now this was a long time ago and the school was quite small but my primary school handed out a little booklet to every parent at the start of the year that had the names of every pupil, their class number, their parents names and parents contact details. Always seemed overkill!

spold

Atishoo, Atishoo we all fall down....

Re:- “we all fall down”

TimMaher

Nope. Not me.

Mine’s the one with a pocket full of pansies.

He who hoots with owls by night cannot soar with eagles by day.