Birmingham school email error exposes student data
Learn More
Tudor Grange Academy Kingshurst in Birmingham exposed data on September 8, 2025, when an email error led to the accidental exposure of hundreds of students' personal information.
The school sent a message to parents regarding flu vaccination consent forms that mistakenly contained a downloadable spreadsheet with sensitive student data instead of a link to a permission form.
The exposed data included sensitive information for students from Year 7 through Year 11 (ages 11 to 16):
- Student names
- Dates of birth
- Gender/sex
- Year groups
- Tutor groups
- Parent and carer contact telephone numbers
The spreadsheet appeared to contain data for the entire student body within the affected year groups. The breach potentially affected students across five year groups at the school, which has a total enrollment of 1,198 students including its sixth form.
The data was exposed for only nine minutes between 9:50 AM and 9:59 AM on September 8, 2025. The exposure was limited to parents who had access to the school's Bromcom system during that intervale.
Tudor Grange Academy Kingshurst acknowledged the error and issued public apologies to the school community.
The incident was reported to the trust's Data Protection Officer, and school officials indicated they would liaise with the Information Commissioner's Office (ICO) if necessary. The school committed to implementing stronger safeguards to prevent similar mistakes in the future and requested their management information system provider to conduct a full investigation into the technical error that caused the breach.
