Back to Knowledge Vault

Great Marlow School partially closed after cyber attack

A malware incident has shut down ICT systems at Great Marlow School in Buckinghamshire, cancelling lessons and silencing parent communications. Here is what it tells us.

A secondary school in Buckinghamshire has been forced to partially close after a cyber attack disrupted its IT systems and communications. Great Marlow School confirmed that a malware incident had affected its ICT network, prompting staff to shut down parts of the system as a precaution while an investigation continues.

What happened

According to the school and reporting by the BBC, the disruption has left Great Marlow School unable to contact parents and carers through its usual email system, and unable for teachers to set work in the normal way. Students in Years 11 and 13 were told to attend for external exams, but the school was closed to most pupils on Wednesday and internal exams for Years 10 and 12 were postponed. A Year 7 rowing lesson was also cancelled.

Headteacher Guy Pendlebury said the school was working with cyber-security professionals to restore normal operations and was responding in line with guidance from the Department for Education and the National Cyber Security Centre.

Why a school is a target

Schools sit on a perfect storm of conditions for attackers. They hold sensitive data on minors, staff and finances. They run lean IT teams. They depend on a small number of cloud platforms for everything from registers to safeguarding logs. And they are obliged to keep operating, which makes recovery pressure unusually high.

Most school networks are also flat by design. Once an attacker is inside the email system or the management information system, lateral movement to file shares, printers and curriculum systems is rarely difficult.

The pattern we keep seeing in UK education

Great Marlow joins a long and growing list of UK schools, colleges and academy trusts hit by ransomware or destructive malware in recent years. The National Cyber Security Centre has issued repeated warnings to the education sector, and the Information Commissioner has published guidance for schools recovering from incidents.

The common thread is not exotic attacker tooling. It is the absence of a clean, offline, verifiable copy of the data that matters, combined with a network where one compromised account can reach almost everything.

What schools should do differently

• Hold at least one copy of critical data offline, in hardware the IT team can physically see and physically disconnect.
• Segment the network so that the email tier, the curriculum tier and the safeguarding tier cannot freely reach each other.
• Rehearse recovery on the assumption that the online backup is also compromised. If the recovery plan depends on the same cloud tenancy that was breached, it is not a recovery plan.
• Keep a tested out-of-band channel for contacting parents when the main email system is down.

The Firevault view

Mark Fermor, co-founder of Firevault, said: "What happened at Great Marlow is not a failure of one school. It is a failure of an architecture that asks education to defend the same attack surface as a bank, with a fraction of the budget and none of the regulatory air cover. The answer is not more cloud. The answer is a copy of the data that the attacker cannot reach, because it is not on the network at all."

Firevault Offline Secure Storage holds a copy of the data that matters in hardware that is physically disconnected from the internet by default. Firebreak adds a hardware boundary between the parts of a school network that need to talk to the outside world and the parts that do not. Together they remove the single point of failure that turns a malware incident into a multi-week closure.

Read more about how this approach works in Offline Secure Storage and Firevault Control.

Share this article