British High School Sends Students Home After Cyberattack

Executive Summary

Great Marlow School, a secondary school in Buckinghamshire, England, sent the majority of its 1,428 students home for a second consecutive day on Thursday after what headteacher Guy Pendlebury described as "a cybersecurity incident affecting our ICT systems." Only students sitting GCSE and A-Level external examinations were permitted on campus. The school stated it is working with specialist IT and cybersecurity professionals and following guidance from the UK's Department for Education (DfE) and the National Cyber Security Centre (NCSC), according to a statement on the school's website cited by The Record from Recorded Future News.

Technical Analysis

The nature of the incident — whether ransomware, data theft, or a denial-of-service attack — has not been publicly confirmed by the school or authorities. Pendlebury's statement pledged a further update by the end of the school day and emphasized that student and staff safety remains the priority. The school's response aligns with DfE and NCSC incident-handling frameworks, which typically involve isolating affected systems, preserving forensic evidence, and engaging external incident responders.

Data from the UK's Information Commissioner's Office (ICO) shows 1,959 reported cyber incidents in the education and childcare sector between 2019 and 2025, with 2023 being the peak year at 354 reports. In 2025, the figure stood at 259 incidents. Ransomware groups such as Vice Society have previously targeted UK schools, publishing sensitive data about at-risk children on dark web leak sites. The ICO and NCSC have both expressed concern that ransomware victims increasingly keep incidents secret, and the British government is considering legislation that would mandate reporting of ransomware attacks.

The incident follows a pattern of disruptive cyberattacks on UK educational institutions. In April 2026, a 16-year-old was arrested in Northern Ireland after a cyberattack disrupted systems used by potentially hundreds of thousands of students. Earlier in 2026, Higham Lane School in Nuneaton also closed due to a cyberattack. Separately, the University of Nottingham confirmed a data breach claimed by the Shiny Hunters extortion gang, impacting a "significant amount" of current and former student data.

Mitigations & Recommendations

Until the school confirms the incident type and recovery timeline, defenders in the education sector should review their own incident response plans against NCSC guidance for schools. Key actions include: ensuring offline backups are tested and isolated from network-accessible systems; verifying multi-factor authentication is enforced on all remote access and administrative accounts; and reviewing vendor security postures, as research cited by the FCC indicates at least 75% of data breaches in U.S. public school districts originate from third-party vendors. Schools should also monitor ICO and NCSC alerts for emerging threats targeting the sector and consider participating in the UK's Cyber Schools Programme for additional resources.