Why UK Private and Independent Schools Have Become a Target for Cybercriminals

• by Anthony Orjally
• Advent IM Blog

Why UK Private and Independent Schools Have Become a Target for Cybercriminals

We work extensively in the private and independent school sector and have noticed that over the past five years, UK private and independent schools have increasingly found themselves in the crosshairs of cybercriminals. As these institutions become more reliant on digital platforms for administration, teaching, and communication, their vulnerabilities to cyberattacks have become more apparent. A perfect storm of valuable data, lower cybersecurity budgets, and sometimes inadequate defences has created an attractive target for cybercriminals.

1. A Treasure Trove of Data

One of the primary reasons why private and independent schools are so appealing to cybercriminals is the sensitive nature of the data they hold. These schools collect and store a wide variety of personal information, including:

• Financial data: Payment records from parents, often including bank account details.
• Personal information: Names, addresses, and other identifying information about students, parents, and staff.
• Academic records: Detailed data about student performance and behaviour.

With this kind of information, cybercriminals can commit identity theft, financial fraud, or even sell the data on the dark web. The value of these datasets, combined with a school’s relatively underdeveloped security measures, makes them prime targets.

2. Ransomware on the Rise

Ransomware has been one of the most prominent cyber threats to UK schools, with incidents rising dramatically in the last few years. A study by the UK National Cyber Security Centre (NCSC) reported a 75% increase in cyber incidents involving schools in 2020 alone. In ransomware attacks, cybercriminals gain access to a school’s network and encrypt its data, demanding payment to release it. Schools, in desperation to resume their operations, often pay these ransoms, which further encourages cybercriminals.

3. Increased Reliance on Digital Learning

The shift to remote learning during the COVID-19 pandemic has also exposed schools to heightened cyber risks. While digital learning platforms allowed schools to continue operating during lockdowns, they also became attractive points of entry for cybercriminals. According to the Department for Education (DfE), many independent schools had to rapidly adopt new technologies and systems, often without fully addressing security vulnerabilities. This accelerated digitalisation, combined with a lack of cybersecurity expertise, created opportunities for attackers to exploit.

4. Low Cybersecurity Budgets

Despite the valuable data they hold, many private and independent schools have relatively modest budgets for cybersecurity compared to larger organisations. According to the 2021 UK Cyber Security Breaches Survey, only 36% of UK schools had adequate cybersecurity measures in place. This lack of investment leaves them exposed to both sophisticated and opportunistic attacks. For cybercriminals, schools present an easy target with potentially high returns.

5. Notable Attacks

Several high-profile cyberattacks on UK schools have made headlines in recent years, highlighting the scale and impact of these breaches:

• Harris Federation Attack (2021): One of the largest multi-academy trusts in London, the Harris Federation, was hit by a ransomware attack, affecting nearly 50,000 students. The attackers demanded a significant ransom, though the exact amount remains undisclosed.
• Cambridge Meridian Academies Trust (2020): A cyberattack on this trust affected a number of its schools, leading to significant disruption in learning and administration. The incident revealed how vulnerable even large educational institutions are to such threats.
• Lewisham and Greenwich Schools (2022): A series of coordinated ransomware attacks targeted multiple schools in the Lewisham and Greenwich area, forcing schools to revert to manual systems, as they lost access to vital IT resources.

6. The Future: Addressing Cybersecurity in Schools

Given the rise in cyberattacks on private and independent schools, it’s essential that these institutions prioritise cybersecurity in the years to come. Schools need to invest in robust cybersecurity measures, such as:

• Regular staff training to recognise phishing and other common attack vectors.
• Frequent software updates and patching to close vulnerabilities.
• Backup systems and contingency plans to minimise damage in the event of an attack.

Moreover, the UK government has been proactive, providing guidance through the NCSC and DfE, but it’s clear that more funding and support are needed to fully safeguard schools from the rising tide of cybercrime.

7. The Data Protection Act and Schools’ Legal Obligations

UK private and independent schools not only face the threat of cyberattacks but also have legal responsibilities under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). These regulations mandate that organisations, including schools, must take appropriate steps to protect the personal data they hold. Failure to do so can result in hefty fines and significant reputational damage.

One of the key requirements under the Data Protection Act is that schools must implement robust data protection policies and ensure that all staff members are adequately trained to handle sensitive data. This includes understanding how to identify and respond to cyber threats such as phishing emails, ransomware, and unauthorised access to data. Training must be comprehensive and regularly updated to reflect evolving cyber risks.

Schools are also obligated to ensure that they have:

• Clear data handling policies in place, outlining how personal data is collected, stored, processed, and shared.
• Security measures, such as encryption and secure storage systems, to protect data from unauthorised access or breaches.
• Incident response plans that include steps to mitigate damage in the event of a cyberattack, as well as procedures for reporting breaches to the Information Commissioner’s Office (ICO) within 72 hours.

For many schools, especially smaller independent institutions, understanding and implementing these legal obligations can be a complex task. That’s why seeking help from cybersecurity and data protection experts such as us is highly recommended. These experts can provide advice on creating and maintaining robust cybersecurity strategies, ensure compliance with data protection laws, and offer staff training that is tailored to the specific needs of the school.

In addition, organisations such as the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) provide valuable resources and guidance on how schools can protect themselves from cyber threats while adhering to data protection regulations. By utilising these resources and collaborating with external specialists, schools can not only reduce their risk of a cyberattack but also ensure they are meeting their legal obligations under the Data Protection Act.