I hope you didn't create the SIMS account @Steve21!! It's important that steps like @PhilNeal has stated are followed, this how vulnerabilities occur, you shouldn't assume that it is secure just because only you know the password! Just look at Heartbleed, just because large companies like Google assume something is secure does't mean you should. Far as you are aware the schedule task is sucking all the data out all your data then the application is uploading to some server in China. Limiting the scheduled tasks\application isn't going to stop that, but it will at least limit the amount of damage that it could cause. It's not like it's difficult either, few clicks and you've gone from potential releasing an entire schools information - everything from SEN data, to staff bank details and everything inbetween - to a heck of a lot less (still not great of course)
Nope not myself Matt, but guess my point being a lot of these services need higher than normal permissions (ok maybe not sys etc), but as an example Emerge wanted:
• Personnel Officer
• School Administrator
• Senior Management Team
• Third Party Reporting
It would be interesting to know why they need each of those access rights.