Betting companies were inappropriately provided access to information sourced from a government database containing the records of 28 million children, reports suggest.
The UK's Department for Education (DfE) is responsible for the database, which contains the details of minors aged 14 and above at schools -- both state and private -- as well as colleges across the United Kingdom.
The database is intended for training and educational use and the government requires users of the system that have a direct relationship with learners to make sure it is fully understood how their information may be used.
Generally, the system is reserved for schools, academies, further education (FE) providers and local authorities.
See also: JhoneRAT exploits cloud services to attack Middle Eastern countries
According to an investigation conducted by The Sunday Times, a partner company handed over access to information gleaned from the database, known as the Learning Records Service, without permission.
A third-party training provider, Trustopia, allegedly "broke an agreement" with the government and gave access to the Learning Records Service system to GB Group, of which gambling firm clientele were then able to use the data on offer for rapid online identity checks and for age verification purposes.
Names, ages, and physical addresses were allegedly included in the data breach. The publication labeled the incident as "one of the biggest breaches of [UK] government data."
CNET: NordVPN review: Still the best value for security and speed
The DfE has since disabled access to the database. The Children's Commissioner for England, Anne Longfield, told the Times that she was "shocked to learn that data has been handed over in this way."
TechRepublic: Why baby boomers are looking to IoT and analytics to stay safe
Trustopia has denied the claims.
In a statement, the DfE said the situation "was completely unacceptable and we have immediately stopped the firm's access and ended our agreement with them," adding that the "strongest possible action" will be taken.
GB Group told the Daily Mail, "We take claims of this nature very seriously and, depending on the results of our review, we will take appropriate action."
It will be interesting to see if the EU's General Data Protection Regulation (GDPR) can be applied to this context, and which organization -- or the government itself -- could be deemed responsible.
ZDNet has reached out to Trustopia and will update if we hear back.
10 worst hacks and data breaches of 2019 (in pictures)
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0