- Tammy Buchanan
- Information/Cyber Security
Cyber Attack : LockBit 5.0 Targets a Primary School
In May 2026, Shottermill Junior School in Haslemere, Surrey became the latest UK primary school to fall victim to a ransomware attack. The LockBit 5.0 group officially listed the school as a victim on 9 June 2026, with threat intelligence monitors detecting the initial network infiltration as far back as 20 May 2026. This means the attackers had approximately three weeks of dwell time inside school systems before the attack became public knowledge.
For school data protection leads, governors, headteachers, and trust leaders, this incident is a reminder that ransomware groups do not discriminate by school size, phase, or geography. A junior school in a quiet Surrey market town is as viable a target as any large secondary or multi-academy trust. The sensitive data schools hold on pupils, staff, safeguarding, medical needs, and finances, makes them persistently attractive to criminal groups.
What Happened at Shottermill Junior School
Threat tracking groups first issued public cyber alerts warning of a LockBit breach at the school on 21 May 2026, just one day after the initial infiltration is believed to have occurred. However, the attack was not officially claimed until 9 June 2026, when LockBit 5.0 listed Shottermill Junior School on their dark web victim ‘leak site’.
The gap between initial compromise (20 May) and public listing (9 June) is significant. In ransomware incidents of this type, attackers typically use this period to:
• Move laterally across connected systems and network shares
• Identify and exfiltrate the most sensitive data available
• Disable or corrupt backups to maximise pressure on the victim
• Stage the ransomware payload for deployment at a chosen moment
At the time of writing, the school had not published a public statement on the incident. Parents and community members seeking updates are advised to monitor communications from the school directly. The school is likely working alongside the National Cyber Security Centre (NCSC) and local authority or trust support to investigate the scope of compromised data and secure its systems.
What is LockBit 5.0?
LockBit is one of the most prolific and dangerous ransomware operations ever recorded. Having first emerged in 2019, it evolved through multiple versions before being partially disrupted by a coordinated international law enforcement operation , Operation Cronos, in February 2024, led by the UK’s National Crime Agency alongside the FBI and Europol. Despite this takedown, the group rebuilt on new infrastructure within weeks.
LockBit 5.0 (also known by researchers as “ChuongDong”) was confirmed active in September 2025 and represents a significant capability evolution. Key features of LockBit 5.0 that school IT teams and data leads should understand include:
• Cross-platform targeting: LockBit 5.0 can attack Windows, Linux, and VMware ESXi environments in a single coordinated operation, meaning virtualised school server environments are not safe from attack.
• Ransomware-as-a-Service (RaaS): LockBit operates by licensing its tools to criminal ‘affiliates’ who conduct the actual attacks. This means the technical capability to attack schools is available to a wide range of threat actors, not just the core LockBit group.
• Double extortion: Attackers encrypt data AND exfiltrate it before doing so. Schools face two distinct harms: operational disruption from encryption, and reputational/legal risk from the threatened publication of sensitive personal data.
|
DPE recommends: Do not pay ransoms. Payment does not guarantee data recovery and may be unlawful. Contact the NCSC immediately if you receive a ransom demand.
Visit the DfE Cyber Security Hub for specific guidance on responding to active ransomware incidents: https://cyber-security-hub.education.gov.uk |
How LockBit Gets Into School Systems
Understanding the specific methods LockBit affiliates use to gain initial access is essential for schools and DPOs seeking to prioritise their defences. LockBit 5.0 attacks follow a structured, multi-phase progression. Initial access is the first and often most preventable stage; once attackers are inside, the window for detection narrows considerably.
Research by Unit 42 (2026) identified phishing and vulnerability exploitation as the two dominant initial access vectors in LockBit-linked incidents, each accounting for approximately 22% of cases. The remaining incidents were attributable to credential theft, brute force attacks, and compromised third-party access. For schools, each of these vectors maps directly to common weaknesses in the education sector.
Phishing Emails
Phishing remains the most common way LockBit affiliates get a foothold inside an organisation. A staff member receives a convincing email containing either a malicious attachment or a link to a credential-harvesting page. Once the attachment is opened or credentials are entered, the attacker has their entry point.
LockBit 5.0 affiliates increasingly use AI-assisted tooling to generate more credible and targeted phishing lures, making it harder for staff to spot a malicious email by appearance alone.
Schools are particularly exposed because:
• Staff routinely receive emails from parents, suppliers, and external agencies they do not know personally
• Busy periods such as term starts, OFSTED preparation, and exam season create distraction and urgency that attackers exploit
• Many school email systems lack advanced threat filtering or sandboxing for attachments
What schools should do:
• Deploy email filtering with attachment sandboxing and link scanning on all staff email accounts
• Enable DMARC, DKIM, and SPF email authentication to reduce spoofed sender addresses reaching inboxes
• Deliver annual phishing awareness training to all staff, including simulated phishing exercises
• Establish a clear process for staff to report suspicious emails to the IT team without fear of criticism
Exploitation of Unpatched Vulnerabilities
Where phishing targets people, vulnerability exploitation targets systems. LockBit affiliates routinely scan for known unpatched vulnerabilities in internet-facing systems, web applications, VPN gateways, firewall management interfaces, and remote access portals, and exploit them to gain direct network access without any human interaction.
Schools are disproportionately exposed to this risk because:
• IT resource constraints mean patching is often delayed or inconsistent
• Legacy systems and end-of-life software are common in the education sector
• Third-party IT providers may not have clear, contractual patching obligations under Article 28 agreements
What schools should do:
• Apply critical and high-severity security patches within 14 days of release as a minimum
• Conduct a termly review of all internet-facing systems and confirm they are patched and supported
• Identify and plan the replacement of any end-of-life operating systems or unsupported software
• Ensure third-party IT support contracts explicitly require timely patching and include this as an obligation in Article 28 data processing agreements
Exposed Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) allows users to connect to a computer remotely over a network. It is widely used by school IT staff and third-party IT providers for remote support. However, when RDP is left exposed directly to the internet without adequate protection, it becomes one of the most exploited entry points for ransomware groups.
LockBit affiliates use automated scanning tools to identify systems with RDP ports open to the internet, then attempt to access them using brute force attacks or credentials purchased from criminal markets. The three-week dwell time observed at Shottermill Junior School, from initial infiltration on 20 May to the public claim on 9 June, is consistent with the profile of an RDP-based intrusion, where attackers move slowly and quietly through systems before deploying ransomware.
What schools should do:
• Disable RDP entirely on all systems where it is not operationally necessary
• Where RDP must be used, place it behind a VPN with multi-factor authentication enforced — RDP should never be directly accessible from the internet
• Restrict RDP access to named IP addresses or ranges wherever possible
• Review all IT support contractor access methods and ensure no shared or default credentials are in use
• Log and monitor all RDP connection attempts, including failed logins, as part of routine IT security monitoring
Exposed RDP should be recorded as a critical-rated risk in the school’s cyber risk register and treated as an urgent remediation priority.
Stolen or Brute-Forced Credentials
LockBit affiliates frequently obtain valid login credentials through three routes: purchasing them from criminal markets where previously breached usernames and passwords are sold; using brute force tools to repeatedly try common passwords against login portals; or stealing them directly via phishing or information-stealing malware.
Once an attacker has valid credentials for a school system, particularly an account with administrative privileges, they can move through the network without triggering malware alerts, because they are appearing to behave like a legitimate user.
What schools should do:
• Enforce multi-factor authentication (MFA) on all staff accounts, with particular priority on administrative accounts, remote access, and the school MIS
• Enforce a strong password policy: minimum 12 characters, no reuse of previous passwords, and no use of easily guessable terms such as school names or season/year combinations
• Use a password manager to support staff in using unique, complex passwords
• Check whether school email domains or staff credentials appear in known data breach databases, such as via Have I Been Pwned (haveibeenpwned.com), and reset any compromised passwords immediately
• Disable or remove accounts for staff who have left the school: stale accounts are a significant and often overlooked risk
Compromised Third-Party Access
Many ransomware attacks enter a school not through the school’s own systems but through a third party with access to them. IT support contractors, cloud platform providers, and managed service providers (MSPs) typically have elevated, often administrative, access to school networks. If a supplier’s own systems are compromised, that access can be leveraged to attack the schools they support.
This is a significant data protection risk under UK GDPR. Where a breach occurs via a processor, the school as controller remains accountable. Article 28 UK GDPR requires that data processing agreements with IT providers specify security obligations, including those relating to access control and breach notification.
What schools should do:
• Ensure valid Article 28 data processing agreements are in place with all IT providers and managed service providers
• Review what level of access each third party holds and apply the principle of least privilege, contractors should have only the access necessary for their specific role
• Require that IT providers use named individual accounts rather than shared service accounts, so that access can be audited and withdrawn when staff leave
• Ask IT providers for evidence of their own cyber security controls, including Cyber Essentials certification, as part of procurement and contract renewal processes
• Ensure third-party access is logged and that the school retains the ability to revoke access rapidly in the event of a suspected incident
|
DPO Action Point — Third-Party Access Review: As part of your next annual review, ask your IT provider or MSP to confirm: (1) whether RDP or remote access to school systems is protected by MFA; (2) whether individual named accounts are used for remote access; (3) whether access credentials are regularly rotated; and (4) whether they hold Cyber Essentials certification. Document their responses. If satisfactory answers cannot be provided, this should be recorded in your risk register and escalated to the headteacher and governing body. |
Why Schools Are Targeted: A Data Protection Perspective
As DPOs advising schools and trusts, it is important to understand the specific data protection risk profile that makes educational settings attractive to ransomware groups. Schools routinely hold:
• Special category personal data: Medical information, SEND records, and mental health data relating to children, processed under Article 9 UK GDPR.
• Safeguarding records: Child protection files, cause for concern logs, and case conference minutes containing highly sensitive information about vulnerable children.
• Biometric data: Fingerprint and facial recognition data for cashless catering or access control systems, also special category under Article 9.
• Financial records: Staff payroll, bank details, pension information, and family financial assessments for free school meals or bursaries.
• Extensive third-party sharing networks: Schools connect to local authority systems, NHS services, MAT platforms, cloud tools, and external support agencies: all potential attack vectors.
The exfiltration of any of these categories in a ransomware attack triggers obligations under UK GDPR and the Data Protection Act 2018. Schools must assess whether a personal data breach has occurred, which in a ransomware incident, it almost certainly has, and respond accordingly.
UK GDPR Obligations When a Ransomware Attack Occurs
A ransomware attack affecting personal data is a personal data breach under Article 4(12) UK GDPR. The key obligations for school DPOs are as follows:
1. Assess and Record the Breach
The school must immediately assess the nature and scope of the breach. Under Article 33(5) UK GDPR, all personal data breaches must be documented in the school’s breach register, regardless of whether they are reported to the ICO. The breach record should capture:
• The facts of the breach: what happened, when, and how it was discovered
• The categories and approximate volume of personal data affected
• The likely consequences for affected individuals
• The remedial actions taken
2. Report to the ICO Within 72 Hours
Where a breach is likely to result in a risk to the rights and freedoms of individuals, the school must notify the ICO within 72 hours of becoming aware of it, under Article 33 UK GDPR. In a ransomware incident at a school, this threshold will almost always be met given the sensitivity of data involved. Notification should be made via the ICO’s online reporting portal.
Where notification cannot be made within 72 hours, the school must provide the notification along with reasons for the delay. ‘Complexity of the incident’ alone is not sufficient justification for delay — schools should notify with the information available at the time and supplement later where needed.
3. Notify Affected Individuals
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the school must also notify the affected data subjects directly, under Article 34 UK GDPR. Given that school data includes children’s safeguarding records and medical data, the bar for ‘high risk’ is likely to be met in most ransomware scenarios. Communication should:
• Be clear and plain English
• Explain what data was affected and what the school is doing in response
• Advise individuals on any steps they can take to protect themselves
• Not be delayed pending a full forensic investigation — notify with what is known
4. Review Article 28 Processor Agreements
Where the breach involves a third-party system or processor, such as a cloud platform, MIS provider, or IT support contractor, the school’s data protection lead must check whether valid Article 28 UK GDPR data processing agreements are in place and whether those processors have met their notification obligations. Processors are required to notify the controller ‘without undue delay’ after becoming aware of a breach.
|
Data Lead Action Point: Review all Article 28 agreements held for school IT systems. Ensure each agreement clearly sets out the processor's breach notification obligations. This is a frequent gap identified during ICO investigations following school ransomware incidents. |
What Schools Can Do to Reduce the Risk of LockBit and Ransomware Attacks
The following practical steps are aligned to the DfE’s Cyber Security Standards for Schools and Colleges (updated January 2025) and can be accessed via the DfE Cyber Security Hub at
Access the DfE Cyber Security Hub here: https://cyber-security-hub.education.gov.uk
Access the full DfE Digital and Technology Standards here: https://www.gov.uk/guidance/digital-and-technology-standards-for-schools-and-colleges. DPE Customers have access to a full set of tracker tools on our Knowledge Bank platform.
1. Conduct and Maintain a Cyber Risk Assessment
The DfE Cyber Security Standards require schools to conduct a cyber risk assessment annually and review it every term. A current risk assessment should explicitly consider ransomware as a threat vector and document the controls in place to mitigate it. For LockBit-style attacks specifically, the risk assessment should address:
• Remote Desktop Protocol (RDP) exposure — a common LockBit entry point
• Phishing susceptibility among staff
• Unpatched or end-of-life software and operating systems
• Third-party access to school systems (IT providers, cloud services)
2. Implement Multi-Factor Authentication (MFA) Across All Systems
LockBit affiliates frequently gain initial access through stolen or brute-forced credentials. MFA significantly reduces the risk of credential-based attacks. Schools should ensure MFA is enabled for:
• All staff email accounts (Microsoft 365 or Google Workspace)
• Remote access services, VPNs, and remote desktop connections
• The school MIS (Management Information System)
• Any system accessible from outside the school network
This aligns to the DfE standard on ‘Control and secure user accounts and access privileges’ and is a core requirement of Cyber Essentials certification.
3. Patch and Update All Software and Systems
Unpatched vulnerabilities are consistently exploited in LockBit attacks. The DfE standard on ‘Licence digital technology and keep it up to date’ requires schools to ensure all software and operating systems are actively maintained and patched. Schools should:
• Apply critical security patches within 14 days of release
• Identify and replace any end-of-life operating systems (e.g. Windows 10 reaches end of support in October 2025)
• Maintain a complete inventory of all digital assets and their support status
• Include third-party IT providers in patching responsibilities under Article 28 agreements
4. Maintain Secure, Tested Backups
Backup integrity is the single most important factor in recovering from a ransomware attack without paying a ransom. The DfE Cyber Security Standards require schools to develop and implement a data backup plan, reviewed annually. The DfE recommends a 3-2-1 backup strategy:
• Three copies of data
• On two different media types
• With one copy held off-site or in isolated cloud storage
Critically, backups must be tested regularly. An untested backup is an unknown backup. Schools should also ensure that backup systems are not connected to the live network in a way that would allow ransomware to encrypt them — ‘air-gapped’ or immutable backups are strongly recommended.
5. Restrict and Monitor Remote Access
Exposed Remote Desktop Protocol (RDP) is one of the most common entry points for LockBit affiliates. Schools and IT providers should:
• Disable RDP entirely where it is not operationally necessary
• Where RDP is required, place it behind a VPN with MFA enforced
• Monitor all remote access logs for unusual activity
• Ensure IT support contractors do not use shared or default credentials
Exposed RDP is also a high-risk entry in any school cyber risk register and should be rated as critical severity if unmitigated.
6. Deliver Regular Cyber Security Awareness Training
The DfE requires schools to create and implement a cyber awareness plan for students and staff. Phishing emails remain a primary delivery mechanism for ransomware payloads. Staff training should cover:
• Recognising phishing and spear-phishing emails
• Not opening unexpected attachments or clicking unknown links
• Reporting suspicious emails to the IT team immediately
• Password hygiene and the use of password managers
Training should be annual as a minimum but ideally more frequent, and should be documented for accountability and DfE compliance purposes.
7. Develop a Cyber Incident Response Plan
The DfE Cyber Security Hub provides a template for a cyber support plan, which schools can use to build a documented incident response procedure. A school’s incident response plan should pre-assign responsibilities for:
• Isolating affected systems to prevent spread
• Contacting the NCSC (0300 020 0973) and local authority or trust IT support
• Notifying the ICO within 72 hours if personal data is affected
• Communicating with parents, staff, and governors
• Logging all actions taken for evidential and regulatory purposes
The plan should be tested annually, the DfE Cyber Security Hub includes guidance on cyber incident exercises and simulations. Schools without a documented response plan are both more vulnerable and more likely to face regulatory criticism from the ICO following an incident.
8. Pursue Cyber Essentials Certification
Cyber Essentials is a government-backed scheme that provides assurance against the most common cyber attack vectors. The DfE’s January 2025 update to the Digital Standards introduced Cyber Essentials certification as a requirement for colleges and special post-16 institutions, and schools are strongly encouraged to pursue it.
Cyber Essentials covers five key controls: firewalls, secure configuration, user access control, malware protection, and patch management, each of which is directly relevant to preventing a LockBit-style attack.
The Governance Dimension: Boards, Governors, and Trustees
Ransomware is not solely an IT problem. It is a governance and data protection risk that must be owned at board level. The NCSC annual review for 2025 noted that cyber security is ‘no longer just an IT issue’ but ‘a boardroom priority’. The DfE’s January 2025 update to the Digital Standards introduced an explicit expectation that trusts build digital leadership capacity at board level.
For school governors and academy trustees, this means:
• Receiving regular cyber security updates as a standing board agenda item
• Challenging senior leaders on the school’s progress against DfE Cyber Security Standards
• Ensuring the school has a named cyber security lead (fewer than one in six schools currently does)
• Reviewing the school’s cyber incident response plan and ensuring it has been tested
• Understanding the DPO’s reporting obligations following a breach and ensuring the DPO has direct board access
The forthcoming Cyber Security and Resilience Bill is expected to introduce mandatory incident reporting requirements for schools, meaning ransomware attacks and significant data breaches will need to be formally reported to regulators. Schools that are not yet meeting the DfE Cyber Security Standards have a compliance gap that is likely to become a legal exposure in the near future.
If It Happens to Your School: Immediate Steps
|
Immediate actions if you suspect a ransomware attack: 1. Isolate affected devices from the network immediately — disconnect from Wi-Fi and Ethernet. Do not switch devices off. 2. Contact the NCSC Incident Management Team: 0300 020 0973 (available 24/7). 3. Contact your local authority or MAT IT support and your DPO. 4. Do not pay any ransom demand without legal advice. Payment may be unlawful and does not guarantee data recovery. 5. Start your breach log immediately — document everything as it happens. 6. Assess personal data impact and notify the ICO within 72 hours if warranted. 7. Preserve evidence — do not attempt to clean or restore systems without professional forensic guidance.
Access the DfE Cyber Security Hub for live incident guidance: https://cyber-security-hub.education.gov.uk |
Conclusion
The LockBit 5.0 attack on Shottermill Junior School is a stark illustration of a threat that every school in England must take seriously. No school is too small, too remote, or too underfunded to be targeted. The data schools hold on children and families is highly valuable to criminal groups, and the operational disruption caused by ransomware can have lasting consequences for teaching, learning, and community trust.
Data Protection Education strongly encourages all schools and multi-academy trusts to:
• Review their current position against the DfE Cyber Security Standards
• Access the DfE Cyber Security Hub for practical resources and templates
• Ensure their cyber incident response plan is documented, tested, and known to all relevant staff
• Review their breach response procedures and confirm ICO notification timelines are understood by the DPO and senior leadership
For further guidance, visit the DfE Cyber Security Hub: https://cyber-security-hub.education.gov.uk
Access DfE Digital and Technology Standards: https://www.gov.uk/guidance/digital-and-technology-standards-for-schools-and-colleges
Report a cyber incident to the NCSC: https://report.ncsc.gov.uk
Report a personal data breach to the ICO: https://ico.org.uk/for-organisations/report-a-breach/
About this article
This article was produced by Data Protection Education (dataprotection.education), a specialist data protection consultancy and DPO service for schools and multi-academy trusts in England. It is intended for information and guidance purposes and does not constitute legal advice. Schools facing an active cyber incident should seek immediate professional support.