Data breach dents Estonia’s reputation for online expertise

Estonia, a country that prides itself on being a global leader in online expertise and which has invested heavily in the development of its e-infrastructure, has put the lives of children at risk.

Estonian news outlet Postimees has reported that the Estonian Schools Information System (EKIS) has allowed anyone to gain access and download descriptions of children’s medical conditions, behavioural problems and family relationships for years.

EKIS collates the document registers of more than 500 Estonian schools and kindergartens. This means that the total number of documents and identities were which inadvertently made public could reach well into the thousands.

The leaked information has provided access to a student’s entire educational history and problems, from counselling programmes to criminal charges of physical abuse.

Estonia’s Ombudsman for Children Ülle Madise believes it is utterly unacceptable this kind of data was publicly available. “The situation needs to be resolved as quickly as possible. We need to find out how it was possible and what to do to make sure it would never happen again,” Ms Madise told the investigative journalism TV show Radar.

The Ministry of Education and Research, responsible for EKIS, has blamed careless employees of educational institutions.

According to Postimees, the results of the press investigation were handed over to the ministry of education and the Estonian Data Protection Inspectorate on September 28. The investigation looked at 200,000 documents registered on EKIS in between 2015-2018.

The investigation into the breach has found 107 school readiness assessments, 35 Rajaleidja counselling committee decisions, 18 data requests or descriptions for criminal proceedings and 17 social welfare department queries or replies. This does not include documents that mention a person’s name, place of residence, age, grade, marks or school, and documents that included personal information of school employees.

Whilst the ministry is adamant that the fault of the breach lies with the schools, it is clear that a lack of due diligence has exacerbated the problem.

“The cause of the data leak is a failure on the part of users [of the database] to pay attention to public access settings when entering documents,” the ministry’s Tea Varrak told local governments in a letter sent on October 2.

“It seems we have a lot of work to do,” said Kadri Levand, senior inspector of Estonia’s Data Protection Agency.

Heads of schools also support the ministry’s allegations that teachers are to blame.

According to Leelo Tiisvelt, headmaster of Randvere School, making information public “is not human error, it is deliberate action.” Some of the leaked descriptions of Randvere’s students were among the most sensitive.

Ms Tiisvelt added: “I very much doubt the school removed access restrictions when entering the data in 2016. Documents became public after EKIS received an update this September. As head of a school, I would like to know how the system has been monitored. How can there be so many human errors that the system did not pick up on?”