A pair of school students were able to access some 2,000 files containing data on other students’ mental health diagnoses, family circumstances, and disabilities thanks to a security shortcoming at the New South Wales Department of Education.

According to a NSW Auditor-General report released Monday, the incident was one of 491 suspected data breaches across a three-year period.

While assessing how effectively the department and public schools protected the security and privacy of student information, the report revealed two high schoolers had cracked into roughly 2,000 files stored in Microsoft 365.

Over a period of three months in 2025, the duo managed to access some files which contained “personal and highly sensitive information” relating to other pupils, including behaviour concerns.

The incident was made possible thanks to configuration choices which “undermined” Microsoft 365’s built-in access controls, the Department of Education told auditors.

During rollout, the department set default permissions that allowed files to be shared with all users within the organisation.

“This meant that when staff in individual schools collaborated on documents, they unknowingly and inadvertently gave access to students and staff across all schools and the department,” read the report.

The department addressed and contained the breach at the time it was identified, and disabled the accounts of the students who accessed the files.

The pair were also made to delete any files not related to their schoolwork.

Neither the department nor the auditor-general identified the related school when approached by Information Age.

“The Department of Education takes its responsibilities with respect to the security and privacy of student information extremely seriously,” a departmental spokesperson said.

Three years, 491 suspected data breaches

The incident was among 491 suspected data breaches and 13 privacy matters involving student information from 2023 to 2025.

Nearly 50 of the incidents were deemed not to be data breaches after investigation, while 435 were matters assessed as being a data breach, but not an ‘eligible data breach’ under state law.

In one of these cases, a student gained access to other pupils’ information via a school’s technical support officer account for a third-party system.

Six matters meanwhile qualified as eligible data breaches, including the incident involving the pair of high school students.


The NSW Department of Education says it takes its security and privacy responsibilities 'extremely seriously'. Image: Shutterstock

The audit noted “not all data breaches involve personal information”, and that the number of data breaches appeared “low” compared to the approximately 780,900 students, 86,500 teachers, and 42,000 educational support staff in NSW schools.

Notably, the department found 3 per cent of suspected data breaches it investigated in 2024-25 were caused by cyber incidents, while 83 per cent were the result of human error such as email errors, access control errors, permission-to-publish errors, and staff misconduct.

Auditor-general spots ‘critical gaps’

The auditor-general’s report acknowledged the department had uplifted its cybersecurity capability, developed specific policy frameworks, and centralised its contracts for learning apps in schools.

These improvements, however, did not eliminate “critical gaps” in the translation of departmental policies and systems to day-to-day practice within schools.

One of the key findings indicated that technical responsibilities, such as controlling access settings and managing sensitive information, were often assigned to school principals despite the department neglecting to assess their capability and capacity to meet these obligations.

The use of third-party platforms also drew scrutiny for gaps in departmental oversight; over 60 per cent of online learning apps used by 37 schools consulted for the audit were not available through the department’s “marketplace” of approved software.

In some cases, these apps could collect student wellbeing data, demographic information, images, and audio recordings.

Further, the audit identified cases where staff retained access to student information and access to systems at schools where they “no longer work”.

The report outlined four recommendations, including improvements to access controls, oversight of third-party products, and clarifying department and school-level responsibilities.

“The department supports all recommendations and is committed to implementing them in a manner that is practical, proportionate, and aligned to the operational realities of NSW public schools while continuing to safeguard public information,” a NSW Department of Education spokesperson said.

Tracey Broers, group general manager for risk at security provider SKG Services, said the recent data breaches reinforced that “cybersecurity is no longer just an IT issue involving hackers”.

“The greatest vulnerabilities often arise from governance gaps rather than technology itself, with the resulting reputational damage often far exceeding the immediate operational impact,” she said.

“Effective cyber resilience depends on strong governance, disciplined access controls, continuous monitoring, regular assurance, and ongoing staff awareness.”