A cyberattack on a school does not announce itself with a dramatic ransom note splashed across a screen. It announces itself with a quieter, more disruptive symptom: children told to stay home, teachers unable to send a single email, and an exam season thrown into disarray. That is exactly how it has played out at Great Marlow School in Buckinghamshire, where a suspected cyberattack forced most of its pupils home — and kept them there for a second straight day.
The school, which has 1,428 pupils according to the Department for Education, confirmed it was dealing with an incident affecting parts of its ICT network. As a precaution, staff took sections of the system offline while specialist IT and cybersecurity professionals investigated, and the school said it would remain closed to most students until the issue was resolved.
A closure timed for maximum disruption
The incident landed at the worst possible moment in the school calendar: exam season. The school’s response reflected a careful triage. Only students sitting GCSE and A-level external examinations were permitted to attend — those exams, governed by national boards and rigid timetables, simply cannot be moved. Every other year group was told to stay home.
The knock-on effects rippled outward. Internal examinations for Years 10 and 12 scheduled for the week were postponed. Even a Year 7 rowing lesson was cancelled — a small detail that captures how comprehensively a network outage reaches into the daily life of a school. And critically, teachers were unable to set work remotely, so the closure was not a “learn from home” day; for most pupils it was simply lost instruction.
When the email goes down, so does the lifeline
One of the most telling consequences was communication. The school was unable to contact students and parents through its usual email system, which the incident had disrupted, and instead fell back on its website and Microsoft Teams to reach families. The nature of the incident has not been formally confirmed, but the symptom pattern — systems taken offline, email unavailable, a multi-day outage — is the familiar signature of a malware or ransomware event rather than a minor glitch.
That communication breakdown matters more than it first appears. In an incident, the ability to reach parents quickly is a safeguarding function: it is how a school tells families their children are safe, where to be, and what comes next. When the primary channel goes dark precisely when it is needed most, the school is managing not just an IT failure but a coordination crisis affecting more than a thousand families.
Part of a relentless pattern
Great Marlow is not an isolated case. It is the latest entry in a grinding, sector-wide assault on schools that has made cyberattack-driven closures a routine feature of the UK academic calendar. We have documented this crisis repeatedly — from the broader threat to student data and school operations to the wave of attacks that disrupted the start of the academic year. Schools are soft targets by structural design: stretched budgets, minimal in-house security expertise, sprawling networks of staff and student devices, and a wealth of sensitive data on minors. For an attacker, that combination offers low effort and high leverage.
The damage from a school attack is also distinctively cruel. The currency is not just stolen data but stolen learning time — and, when these incidents land during exam season, the disruption strikes at the single highest-stakes moment in a young person’s school career. A postponed Year 10 mock is recoverable; the stress and chaos injected into students preparing for GCSEs and A-levels is harder to measure and harder to undo.
What schools can take from it
The defensive priorities for a school are the same unglamorous fundamentals that protect any organization, scaled to a sector that rarely has a dedicated security team:
- Tested, offline backups so that a malware infection means restoration, not capitulation — the single most important control for surviving an attack without paying.
- Network segmentation so that a compromise in one corner of the ICT estate cannot spread to the whole institution and force a total shutdown.
- An out-of-band communication plan — a pre-arranged way to reach parents when email and the main systems are down, rather than improvising with Teams and the website mid-crisis.
- A rehearsed incident-response and continuity plan, so that “send the children home” is a degraded fallback with work-from-home provisions ready, not the only available option.
As of the second day, Great Marlow remained closed to most pupils while specialists worked to restore its systems. The exams went ahead because they had to. For everyone else, the school’s network outage became another reminder that in 2026, a cyberattack on a school is measured not in encrypted servers but in empty classrooms.
