BLS Stay Compliant

News and Information

The Cost of Ransomware Attacks on Schools & Academies

The number and frequency of ransomware attacks is on the rise with 150 incidents reported to the ICO (Information Commissioner’s Office) in the final quarter of 2020 alone. In addition to this a further 249 reports regarding Phishing attempts were made in the same period.

The costs of Ransomware attacks on schools and academies seems clear with large sums of money being demanded for the return of sensitive personal data, as well as the associated reputational damage from suffering such an attack.

However, there are additional, sometimes ‘hidden’, costs associated with such incidents and two recent reported attacks demonstrate this.


Example 1

In June this year two schools from a MAT suffered a ransomware attack.

As a result of the attack data was encrypted which meant that staff no longer had access to vital pupil information, including emergency contact details. The Trust took the decision to temporarily close both schools whilst they repopulated their information management system records.

Guidance on the Trust’s website states that the schools were closed because ‘There are certain safeguarding documents that any school is required to have in order to be allowed to be open. Unfortunately, these files we no longer have access to. In addition to this we need to make sure that we have access to all medical information, emergency contact details of all students and staff, which we also currently do not have access to.’

Even if no ransom was paid the additional ‘costs’ to the schools were:

  • Having to close for a period of time had a significant impact on the pupils and families who attend the schools.
  • There was an additional cost in terms of administrative time whilst the schools collected and repopulated their management information systems with the details of all their children.
  • The local media stated that the Trust also highlighted an additional cost to them stating ‘This is on top of having to rebuild all computers so that we can access resources required to teach.’


Example 2

Details about a ransomware attack on another MAT, which educates approximately 38,000 children in 50 academies (primary and secondary), have recently been made public.

The attack took place in March of this year and affected personal data which was encrypted and at one point the attackers threatened to sell some of the stolen files via the dark web. The TES reported that the Trust’s CEO had outlined the additional costs this attack incurred.

The additional ‘costs’ identified were:

  • The distress caused to children in cases where it was not possible to access their coursework files.
  • The CEO is quoted as stating that the remedial work carried out by the Trust in terms of scanning laptops cost an estimated £500,000.

Whilst the demands from ransomware attacks are large it is clear that the associated additional costs are also significant and with such attacks on the rise it is imperative that schools and academies take all possible precautions to protect their data and ultimately safeguard their children and families.

BLS Stay Compliant has years of experience of supporting schools with their data protection needs, in terms of specialist training, focused audits and direct support to improve data protection policies and procedures.


We support public sector organisations to ensure that they remain compliant across the full breadth of data protection. The team have over 85 years combined experience of working in the public sector, including one of our team who worked in the education sector for 25 years, including over a decade as a Headteacher.


We can support schools, academies, MATs, colleges and universities with a range of specialist services and training packages.


  • Data protection awareness for whole staff and volunteers.
  • Awareness and compliance for governors and Trustees.
  • Focused training for staff with specialist roles including Business Managers, Headteachers, Data Protection Officer (DPO) and Information Asset Owners (IAO).
  • Safer Recruitment procedures.
  • Subject Access Requests (SARs) – how to manage and reply to them, including the use of redaction.
  • We can also support schools to identify key training areas and compile a Training Needs Programme.

Specialist Support:

  • We can act as the designated DPO for your organisation providing regular support and guidance.
  • Support with key data protection paperwork including Data Protection Impact Assessments (DPIAs), data flow mapping, risk registers, Privacy Notices and key policies.
  • Support to respond to Subject Access Requests including redaction and response letters.


  • Full audits of all key Data Protection and UK GDPR policies and guidance.
  • Physical security audits to ensure sites are physically secure and so data is effectively protected.
  • At the end of both audits a full report complete with recommendations will be issued.


If we can support you with any aspect of data protection compliance and training please contact us and one of the team will be happy to discuss your needs:

Tel: 01757 616885




Share this post