The incident
A teacher noticed a locked file, which had an unusual file type. They immediately contacted the Deputy Headteacher, who escalated this to both the Trust’s third-party IT provider and internal IT team. Their suspicion came from personal awareness rather than any cyber security training. as no formal cyber security training or awareness was in place at the time.
At that time, the team did not treat cyber security as a priority, which resulted in limited awareness across the trust.
There was no cyber response plan in place at the time of the incident.
“Cyber security in education is often seen as a purely technical challenge when, in reality, it’s about people, preparedness, and culture.”
The impact
All systems were taken offline for 2 weeks, which included internet access and shared files, resulting in direct financial loss and operational disruption. School meal payments were unable to be processed through their cashless catering system as it was no longer operational. In an attempt to reduce disruption, the administrative staff tried to record purchases on paper, but the process proved impractical and caused substantial delays. Instead, the school provided meals free of charge to maintain normal lunchtime operations.
The Trust’s catering operations at the time generated sizeable daily revenue, resulting in a substantial financial loss during the 2-week outage.
In addition to the immediate financial loss, there was the cost of staff overtime, alongside teaching and administrative staff redirecting their capacity to managing the disruption.
At least 6 weeks of learning days were impacted due to lack of access to learning materials. There were no plans in place for remote learning as the incident took place before the COVID-19 lockdowns. Students were sensing the chaos and noticed teachers becoming flustered.
Actions taken
The IT provider began containment measures and forensic analysis to assess the scale of the infection and secure the affected network.
The Trust’s internal IT team focused on clearing infected devices and verifying systems, using a limited recovery plan from the IT provider. This included a decryption key to help clean infected devices.
The network was partially reinstated when the Trust’s IT team confirmed that majority of the devices were clean. Due to the large number of devices affected, it took around 6 weeks for every machine at the Trust to be restored and operational.
The Trust’s Senior Leadership Team (SLT), being the key decision makers throughout the incident, made the strategic decision to bring all infrastructure in-house. This was to strengthen their ability to detect, contain, and recover from future cyber threats more efficiently.
Handling communications
The SLT led the organisational response, sharing daily updates with staff about device handling, recovery progress, and priorities, while maintaining communication with external partners.
Post-incident recovery and resilience
Though after 3 months the incident was considered resolved and all services back online, no formal review or post-incident analysis was conducted. This meant preventative measures were not implemented to reduce the risk of further attacks. In 2020, a review by the trust board recognised that the incident had not been resolved from a strategic or cyber resilience perspective.
Luke joined the Trust in 2022 and over the following months, the Trust undertook a comprehensive review and implemented significant security improvements. This included a new wide area network, replacing outdated equipment, implementing multi-factor authentication and moving to a cloud-based infrastructure. Centralised patching, endpoint protection and strict privilege management were also introduced to each of the schools.
Alongside strengthening their technical defences, the Trust invested significant time and effort into educating their schools. Each school now has clear cyber security guidance, offline resources and communication plans to ensure learning and essential services can continue during disruption.
The Trust gained the Cyber Essentials certification, demonstrating that it has done everything possible to minimise the risk of future incidents.
From a governance and security standpoint, the Trust reached a true state of recovery by December 2022.
The Trust has had no further downtime or incidents occur since the initial attack.
Luke’s advice for others
1. Review the basics
“In education, everyone is incredibly busy, and cyber security can easily feel like just another task on the list.
Most cyber incidents don’t happen because of highly sophisticated attacks, they happen because of overlooked basics. Getting that right is one of the most effective ways to protect your school community.
2. Simple measures are effective
“My biggest piece of advice is that cyber security doesn’t have to be complicated or expensive. Looking back at our own experience, it’s clear that some very simple measures could have prevented the attack.
Things like restricting the ability for users to install software, regularly reviewing permissions and access rights, removing historic or privileges that could be exploited as an entry point and ensuring updates and patches are applied consistently.”
3. Gain the Cyber Essentials certification
“We wanted to demonstrate that we had done everything possible to ensure such an incident could not happen again, and to rebuild confidence among our staff, students, parents, and trustees. Gaining that accreditation meant a great deal to the organisation after the turmoil of the attack, marking a clear turning point in our cyber resilience journey.”