The UK government has revealed that betting companies were granted access to a sensitive database containing the personal details of as many as 28 million children.
These betting companies were given access to the Department for Education’s database known as the Learning Record Service, which records and stores information on students in England, Wales and North Ireland.
According to a report from The Sunday Times, “a data intelligence firm known as GB Group was able to sign an agreement with a third-party company to access the data. GB Group’s clients include gambling firms such as Betfair and 32Red, which apparently used the data for age and ID verification on their websites.”
A government spokesperson has told the associated press that “this was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them,” adding that “we will be taking the strongest possible action.”
Anne Longfield, the children’s commissioner for England told the media that she was “very shocked to learn that data has been handed over in this way.”
InfoSecurity Magazine is reporting that “the third-party, Trust Systems Software (Trustopia), denies providing database access to GB Group. Both GP Group and the DfE are investigating the reports, with the latter having reportedly disabled access to the data trove and informed privacy watchdog the ICO.”
Phil Muncaster notes that “although the information used by the betting firms appears to have been limited, give it covers a huge number of children, the incident could well lead to a significant GDPR investigation by the ICO.”
"The responsibility sits squarely with the Department for Education, which has collected vast amounts of children’s data for nearly a decade with apparently little oversight.”
Security advocate with KnowBe4, Javvad Malik said that “this is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent use of the data by everyone who has access to it - which in this case has not happened.”
“In all of this,” he continued to explain, “the responsibility sits squarely with the Department for Education, which has collected vast amounts of children’s data for nearly a decade with apparently little oversight.”