therecord.media Suzanne Smalley
October 10th, 2025

Austria's data protection authority on Wednesday ruled that Microsoft illegally tracked students using its education software by failing to give them access to their data and using cookies without consent.

The decision from Austria’s Datenschutzbehörde (DSB) came in response to a 2024 complaint lodged by the Austrian privacy advocacy group noyb, which accused the tech giant of violating Europe’s General Data Privacy Regulation for its handling of children’s data.

The complainant in the case, the father of a minor whose school uses the software, said he did not consent to the cookies and could not get information about how his child’s data was being used.

Microsoft 365 Education is used by school districts to manage technology, allow collaboration and store data in the cloud. It includes Office applications like Word, Excel, Outlook and PowerPoint as well as security tools and collaboration platforms like Teams.

"The decision highlights the lack of transparency in Microsoft 365 Education," Felix Mikolasch, a data protection lawyer at Noyb, said Friday in a prepared statement. "It is nearly impossible for schools to inform students, parents and teachers about what is happening with their data."

A spokesperson for Microsoft said in a prepared statement that the company will review the decision.

“Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR,” the statement said.

The regulator has ordered Microsoft to give the complainant access to their data and to begin to explain more clearly how it uses data it collects.

Comme d’autres services publics avant elle, l’université Paris-Saclay a subi une cyberattaque par le biais d’un ransomware sur ses serveurs. L’attaque qui a eu lieu le 11 août a affecté les services centraux de l’établissement, ainsi que ses composantes (facultés, IUT, Polytech Paris-Saclay, Observatoire des sciences de l’univers). Sont notamment indisponibles un certain nombre de services comme la messagerie électronique, l’intranet, les espaces partagés et certaines applications métier. Un site provisoire a été mis en ligne afin d’assurer, durant les prochaines semaines, la communication auprès des personnels et des étudiants. Une foire aux questions, relative à la cyberattaque, régulièrement complétée et actualisée y est affichée.

On 2 May 2024, the City of Helsinki issued a notice of a data breach targeted at its Education Division. Investigation into the data breach proceeds through a cooperative effort by the City´s own and external experts. On Monday, 13 May 2024, the City of Helsinki held a press conference on the progress of this investigation.

The Danish data protection authority (Datatilsynet) has issued an injunction regarding student data being funneled to Google through the use of Chromebooks and Google Workspace services in the country's schools.

Artificial intelligence offers potential for individualised learning in education and supports teachers in repetitive tasks such as corrections. However, there are regulatory and ethical challenges. The guide is primarily aimed at providers, but can also offer insightful insights to school leaders.

A total 761 people had sensitive personal data hacked during a cyberattack on the education department of the Swiss city of Basel.

There are new developments on the cybersecurity attack that has crippled internet services at Bluefield University. We’ve learned through “RamAlert” texts sent to students, faculty and staff that the cyber attackers are now directly communicating with everyone on the alert system. They have identified themselves as “AvosLocker” and are demanding payment in return for not leaking students’ private information. The FBI considers AvosLocker to be ransomware. In March 2022, they released an advisory on it. They said avoslocker has “Targeted victims across multiple critical infrastructure sectors in the U.S. Including…The financial services, critical manufacturing, and government facilities sectors.”

In a hacking episode that is spiraling from bad to worse, cybercriminals have leaked highly sensitive documents related to droves of Minneapolis students.

A mandatory app exposed the personal information of students and teachers across the country for over a year.

The Vice Society ransomware gang has claimed responsibility for the November 2022 cyberattack that forced the University of Duisburg-Essen (UDE) to reconstruct its IT infrastructure, a process that's still ongoing.

How Finland Is Teaching a Generation to Spot Misinformation
The Nordic country is testing new ways to teach students about propaganda. Here’s what other countries can learn from its success.

Confidential details including child passport scans and SEN data is published online, the BBC finds.

Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.

The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.

An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.