Cyber Incident Victim: Thomas Hardye School
Date:
May 2023
Location:
United Kingdom
Summary
Thomas Hardye School was targeted in a cyber attack that encrypted its IT systems and was accompanied by a ransom demand. The school refused to pay the ransom, leading to a prolonged disruption of email services, online payment systems, and access to student records. While the school remained open and exams proceeded as scheduled, normal operations were severely impacted. The incident response involved collaboration with the National Cyber Security Centre and police to restore systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around Sunday, May 21, 2023, Thomas Hardye School in Dorchester was targeted in a cyber attack. The attack involved the school's IT systems being locked by the perpetrators. This action was accompanied by a formal ransom demand issued to the school. The demand specified that payment was to be made via the dark web, indicating a likely ransomware operation. The attack rendered the school's core IT infrastructure inoperable, immediately impacting its administrative and operational functions. The school, which educates more than 2,000 pupils, found its screens and systems inaccessible following the initial compromise.
The immediate consequence of the systems being locked was a widespread loss of access to critical services reliant on the school server. The school's email communication system was completely disabled, severing a primary channel of contact between the school administration and parents. Financial operations were also halted, as the school became unable to accept any form of payment, including canteen payments for student meals. Internal record-keeping systems were similarly affected and became unavailable. This comprehensive shutdown of digital infrastructure forced the school to revert to analogue methods of communication and operation to maintain basic functionality.
In response to the incident, the head teacher, Nick Rutherford, communicated directly with parents to outline the situation and the school's immediate plans. He confirmed the school would remain open despite the severe IT disruptions. Teaching and learning were to be adapted accordingly to function without reliance on the compromised digital systems. A critical reassurance was provided regarding the ongoing GCSE and A-Level examinations; these were confirmed to continue running as normal. The school implemented specific contingencies to ensure that students with access arrangements, typically requiring technological aid, were still able to complete their exams without disadvantage.
The school's leadership made a definitive decision regarding the ransom demand, publicly stating it would not pay the ransom to the attackers. This decision aligned with standard guidance from law enforcement and cybersecurity authorities who advise against paying ransoms as it funds criminal activity and does not guarantee the restoration of systems. Instead of negotiating with the threat actors, the school engaged external professional support to manage the incident response. This involved formally working with the National Cyber Security Centre (NCSC), the UK's authority for cyber security, and also reporting the crime to local police forces.
The engagement with the National Cyber Security Centre and police represented the core of the technical and investigative response. These agencies would typically assist in analyzing the attack vector, identifying the specific ransomware variant used, and providing guidance on containment and recovery procedures. The recovery process involved efforts to isolate infected systems, prevent the spread of the malware, and ultimately restore systems from clean backups if available. The public announcement served to manage the expectations of parents and students, informing them that the restoration of IT services would be a prolonged process managed by experts.
The impact on daily school life was significant and multifaceted. The loss of email required parents to communicate with the school via telephone, creating potential bottlenecks and delays in information flow. The inability to process canteen payments necessitated temporary adjustments to how students received meals, likely involving alternative procedures to ensure no student was unable to eat. The unavailability of internal records meant that staff had to rely on offline methods for tracking student information and attendance. The attack disrupted not only educational administration but also the practical day-to-day logistics of running a large institution.
Despite the severe disruptions to its backend operations, the school's primary educational mission was maintained. The commitment to keeping the school open ensured that students' education was not further interrupted. The successful continuation of examinations was particularly crucial, as any disruption to GCSEs and A-Levels could have had serious long-term consequences for students' academic progression and future opportunities. The pre-planned contingencies for access arrangements were a vital component of this, ensuring compliance with legal requirements and fairness for all students.
The incident at Thomas Hardye School exemplifies the vulnerability of educational institutions to cyber threats. The attack specifically targeted essential services to maximize pressure for a ransom payment. The school's response, characterized by a refusal to pay, a commitment to remaining open, and the immediate engagement of national cybersecurity authorities, outlines a standard organizational response to such a crisis. The event highlighted the critical dependencies modern schools have on digital infrastructure for communication, finance, and record-keeping, and the severe operational challenges that arise when that infrastructure is suddenly rendered unavailable.