Early indications
The first indications of an incident came at 6:30 am on 10 July when staff found they were unable to access documents. A search detected ransomware files on a server were encrypted across 10 sites. Several schools were unable to access their school management and information system.
For the next 9 days, senior leadership, IT, external cyber specialists, and school leaders followed an escalation and response process. They initiated their cyber response plan and contacted RPA.
Containment
The trust took immediate containment actions. They broke password synchronisation between Active Directory and Microsoft 365, reset passwords for all staff and students and enforced multi-factor authentication. Guest accounts were disabled, firewall rules tightened, and remote access blocked. They also installed CrowdStrike.
Access was geolocked to the UK, which caused some problems for headteachers on summer holidays! However, this rule remains in place now for everyone’s protection.
Working through the attack
As the scale of the attack became known, teachers were advised to download and print materials so they could teach without access to the internet. For some, the timing was lucky because term was about to finish for the summer break. Exams were completed and some of the students had finished for the year already. End-of-term activities were happening which took a lot of students out of the classroom.
However, 2 special schools in the trust needed ongoing internet access to support their students and learning. The trust considered whether they would have to close, but knew the impact this would have on families and students. Instead they worked round the clock to create firewall rules that meant the special schools could continue to operate, almost as normal.
Rebuilding after the attack
After the attack was contained, restoration began. The trust had to rebuild the entire server infrastructure from scratch. Data on the old servers had to be cleaned and transferred. This included student records, HR files, and teaching documents. The process involved the internal team working with recovery experts and took weeks. Internal firewalls were implemented across all sites, networks were segmented using VLANs, and a separate secure network was created for IT administrative devices.
Efforts initially focused on secondary schools to ensure systems were secure before A-level results were released. This was a priority because they needed to print out results so that students could confirm university places and make any appeals. The work was completed the day before results were released.
Work on the other schools was then completed by the end up for the summer break, ready for the new school year.
Impact on staff
While the timing of the attack meant the impact on students wasn’t as big as it might have been, it was still significant for staff. Teams worked 24 hours to make sure the special schools could open, and again to get ready for A-level results.
Stress levels were high, and this was made worse by the world-wide CrowdStrike outage which happened a week into the incident. This unexpected and unrelated incident slowed recovery further, and added an extra, unwelcome level of stress to an already difficult situation.
Post-incident recovery and resilience
The response and recovery effort included over 1,200 hours of time covering incident management, forensic investigation, and remediation services.
The total cost was over £500,000.
Lessons learned
Chris Everard, Chief Operating Officer, shared some of the lessons they learned from the incident. He said,
“The incident reinforced the importance of a well-understood cyber response plan, clear escalation points, and up‑to‑date documentation. Understanding and documenting how systems connect to each other and work together would have saved us a lot of time.”
Chris said their biggest learning was around checking internal firewall rules and settings for intrusion protection, which would have helped to contain the attack.
To reduce risk, Chris recommends other schools and trusts:
- implement multi-factor authentication for all users
- ensure regular training
- keep an up to date list of cyber security training records
- ensure that no users are logged in with admin rights
- have robust contingency planning
- prioritise investment in cyber security
He also recommends, “Make sure you have backing of senior decision makers to invest in cyber security.”