Schools were forced to delay pupils’ return to the classroom, suspend Covid testing and cancel parents evening after hackers struck in a series of targeted ransomware attacks.
A Schools Week investigation can reveal the devastating aftershocks of the cyber attacks, as the government’s security centre warned this week of the “growing threat” facing schools.
At a time when businesses have been strengthening their defences, schools have become soft targets for criminals
It warned that schools lost financial records, students’ coursework and Covid-19 testing data during the attacks.
Ruth Schofield, of cyber security experts Heimdal Security, told Schools Week the “rapid switch to remote learning” has made schools more dependent on their IT systems. But security has become less of a priority “in the rush to get pupils online”.
“At a time when businesses have been strengthening their defences, schools have become soft targets for criminals,” she added.
Ransomware is a type of malware that prevents you from accessing your system or the data held there, the NCSC explains.
The data is usually encrypted and may be deleted or stolen. Following the initial attack those responsible will “usually send a ransom note demanding payment to recover the data”. Payment is usually requested in the form of crypto currency.
Ransomware hits 17 schools in same trust
All 17 schools in Cambridge Meridian Academies Trust (CMAT) faced disruption when ransomware was identified within its network on March 12.
Schools’ communications, such as emails and phone lines, were down for around three days as the trust’s IT team “worked around the clock” to keep disruption to a minimum.
At Ely College, Covid testing was suspended for 24 hours on March 15 while systems were down, and the school was also forced to reschedule parents’ evenings and push back its deadline for Year 8 options.
Swavesey Village College continued its Covid testing on March 15, but alerted parents “you will not be automatically notified of their result until later this week” but would be contacted immediately in instances of a positive result.
A CMAT spokesperson said all schools remained open throughout and all systems were back online “within a couple of days”.
It is not believed any sensitive or personal information was accessed during the attack and no coursework was lost.
A small number of IT suites across the trust still require repairs which will be conducted over the Easter holidays.
On March 3, Nova Education Trust in Nottingham was struck by an attack which saw it shut down IT systems for each of its 15 schools as a “safety precaution”.
In the initial aftermath the trust was unable to provide remote teaching or upload new learning resources for students.
The trust’s recovery forced several of its secondary schools to push back the return of on-site lessons from March 8 to March 11 as staff were left without devices while they were being made secure.
Secondary age pupils at the trust still began testing on March 8. However, they were asked to return home once they had completed the tests instead of attending normal lessons as planned.
‘No reason to suspect same criminal’
The NCSC said it could not release exact figures for the number of attacks conducted due to operational reasons, but stated “there is no reason to suspect the same criminal” is behind each attack.
Meanwhile, on the morning of March 16, 24 schools across South Gloucestershire, including all seven at Castle School Education Trust (CSET), were hit by a “highly sophisticated ransomware attack”.
A CSET spokesperson said it has “caused significant disruption to our schools” and both the trust and South Gloucestershire Council are still working with external partners and agencies to investigate the attack and ensure “systems are secured safely and securely”.
A council spokesperson warned there “will be continued disruption over the coming weeks” varying from school to school. While some systems have been restored, others remain offline.
Remote learning for pupils is still being impacted by the attack, with schools hoping to provide “more interactive content for pupils” after Easter.
The NCSC said the attacks can have a “devastating impact on organisations” and may require a significant amount of recovery time to reinstate critical services.
What schools can do
The Department for Education wrote to school leaders this week stating it is “vital that you urgently review your existing defences and take the necessary steps to protect your networks from cyber attacks”.
Schools should confirm with their IT team or provider that they are backing up the right data, that back-ups are held offline and that their restore services have been tested.
The DfE supported NCSC recommendations that schools don’t encourage, endorse or condone the payment of ransom demands as this will “likely result in repeat incidents to educational settings”.
Other advice included using effective vulnerability management, installing antivirus software and implementing mechanisms to prevent phishing attacks.