Cyber Incident Victim: Harris Federation
Date:
Mar 2021
Location:
United Kingdom
Summary
A London-based nonprofit education trust operating 50 schools experienced a sophisticated ransomware attack that encrypted IT systems and disrupted operations, forcing the organization to disable email servers, landline phones, and student devices to contain the infection. The incident impacted communications and IT infrastructure across its academies, though schools remained open with redirected phone services. The trust collaborated with national law enforcement and cybersecurity agencies to investigate, noting it was among multiple UK educational institutions recently targeted in similar attacks following official alerts about heightened ransomware threats to the sector. While the attack’s origin remained unconfirmed, it occurred amid a broader surge in incidents affecting schools, with preliminary but unverified reports suggesting potential links to known ransomware operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 27, 2021, the Harris Federation—a nonprofit managing 50 primary and secondary academies serving 37,000 students across London and surrounding areas—experienced a ransomware attack that disrupted its IT infrastructure. The incident compromised and encrypted the organization's systems, prompting an immediate shutdown of email servers and landline phone networks, with calls redirected to mobile devices. As a containment measure, the Federation disabled all student-issued devices to prevent further propagation of the ransomware. The attack was detected over the weekend, though the full scope of data compromise remained undetermined during initial response efforts. Harris Federation publicly confirmed the incident on March 29 via Twitter and its website, acknowledging the sophistication of the attack and its anticipated operational impact. The organization collaborated with the UK National Crime Agency, National Cyber Security Centre (NCSC), and an unnamed cybersecurity firm to investigate the breach. Despite system disruptions, all affiliated schools remained operational until the scheduled end of term on March 31.
This incident occurred amidst a documented surge in ransomware attacks targeting UK educational institutions, following an NCSC alert issued on March 23 regarding increased activity since late February. Harris Federation noted it was at least the fourth multi-academy trust targeted during March 2021, reflecting a broader pattern that included a prior wave of attacks against the education sector in August-September 2020. While no threat actor was officially attributed, unverified cybersecurity community sources suggested possible involvement of the REvil ransomware operation—a group concurrently linked to a separate $50 million ransom demand against Acer. The FBI had also issued a March 2021 advisory warning of Pysa ransomware targeting educational entities in 12 US states and the UK. Immediate consequences for Harris Federation included prolonged system outages, investigation costs, and operational disruptions affecting administrative and communication channels across its network of schools.