Skip to content

Data security in schools: evolving risks and the need for vigilance

Insight

digital padlock

As we head into the Christmas holiday season, it can feel a bit Grinch-like to be talking about data breaches, hacking, ransomware and other similarly un-festive topics.

Unfortunately, however, not only do schools remain a notable target for cyber criminals but we know from recent years that striking during the holiday period – when staff availability and response times are more limited – can be a specific tactic.

Overworked staff and outdated software are only going to exacerbate the risks of system penetration by bad actors, and will be factors in the enforcement risk too. Given the nature, sensitivity and volume of the information they hold on parents, pupils and staff, it is vital that schools show preparedness for these incidents.

Current trends and areas of risk for the sector

In this article we highlight the trends in this area that we have been seeing in 2025 and flag some key recommendations both for mitigating risk in the first place and dealing with the consequences of a data security incident.

Phishing attacks and fees / invoice fraud

We are continuing to see hackers using email phishing techniques (which only require one staff member to fall victim to a malicious link or attachment) to gain access to staff email accounts. While in theory the hackers then have access to all kinds of sensitive pupil data, our experience with this routine is that their primary interest is in defrauding parents over fees. Typically, they send out a message to some or all parents chasing alleged debts or offering fee discounts for advance payment (with false bank details provided). The social engineering can be assisted by access the hackers will have had to prior correspondence with parents.

Many such emails have tell-tale suspicious signs – including 'new' bank details, clumsy phrasing or syntax and uncharacteristic pressure around a deadline for payment – and it is always sensible for schools to communicate regularly with parents to remind them of how they will typically seek payment, and how they will not. However, we have seen these messages become more sophisticated in composition and targeting recently, including in the way that hackers have been able to create plausible-looking invoices (complete with the correct pupil details and contact information of parents). Sometimes convincing copycat email addresses are used, even if the hackers have successfully been shut out of the staff member's own account.   

Overseas parents have been particularly vulnerable to these tactics. It seems likely they are targeted because they may not speak English as a first language, and also because bank-to-bank recovery is more coordinated between UK bank accounts. We have noticed those who are new to the school, and/or have primarily interacted with the school via educational consultants / agents in the first instance, often fall victim.

Deepfake manipulation of imagery

Other recent nefarious incidents have included the use of AI deepfake technology to create Child Sexual Abuse Material based on pictures of pupils scraped from publicly accessible school websites and social media accounts. This will be followed by a ransom demand: sometimes via school social media, and sometimes delivered first to parents rather than the school in order to increase the pressure to pay.

For example, in a recent, high-profile case, although not involving deepfakes, hackers attempted to extort the nursery chain Kido (and individual parents themselves), after stealing pictures and contact details (and even safeguarding information) of thousands of children. In this case, the hackers climbed down after media pushback, but we are aware of more worrying cases which have seen cyber criminals send 'proof' of obscene images to demonstrate the seriousness of the threat. Staff need to be very careful not to commit criminal offences themselves in handling such images.

Clearly all schools need to be particularly vigilant against these kinds of evolving and technologically sophisticated threats – and ensure that system security, staff training and regular penetration testing is a top priority for senior leadership.

The UK Safer Internet Centre has published guidance for schools and colleges on some of the practical image and video management steps that can be taken to reduce or mitigate the risk of online image scraping or misuse. We understand that many schools use pupil images online, via websites and social media, and doing so does not comprise a security breach per se – however, parents and pupils will want to be properly informed as to risk and this will be a factor in obtaining marketing image permissions.

Non-cyber incidents

Aside from these more direct and sinister threats, it is also crucial that schools focus on the more 'everyday' risks. In fact, although not sector-specific, from the statistics published by the ICO on data breach reports sent to the regulator, we know that the vast majority (76%) of incidents reported in Q2 of 2025 were 'non-cyber' incidents – ie they did not have a clear online or technological element, meaning for example they related to breaches involving hard copy material (files left on public transport, printers and photocopiers) or misdirected emails.

This is clearly an area where regular staff training and clear policies and procedures on information handling and data security are vital.

Vulnerabilities in the supply chain

The final trend to flag is where schools, rather than being the direct victim of an attack, fall victim to one indirectly, via a breach at a supplier. In fact, in one recent case, the attack was even further down the supply chain. Online SCR, which carries out and maintains background record checks on staff for clients including schools, was affected when one of its suppliers, the software provider Intradev, was hit by a data breach. In the past we have seen supply chain breaches affect CRM providers and payment processors. Whilst primary enforcement focus may be on the suppliers, if the school is the data controller, then as a matter of law – quite aside from in the court of public opinion – it also has responsibility for the affected data and may itself be held liable.

What can schools do to prevent and mitigate data security incident risks?

In the face of these ongoing and evolving threats, what can schools do? These actions are best split between prevention/risk reduction and incident response:

  • Prevention/risk reduction:
    • Appropriate technical and organisational measures such as deployment of multi-factor authentication to access staff email accounts and then the segregation of data on the system so that staff only have access to what they need to know and not across the whole system. Technological measures to prevent scraping of material from websites should also be considered as well as careful consideration as to the school's policy and consents in terms of its use of images of real, current pupils online.
    • Supplier risk management: Data Protection Impact Assessments carried out in relation to the use of suppliers, due diligence on those suppliers' credentials (eg security, incident response, insurance), robust and properly negotiated contracts (particularly when it comes to reporting breaches and provision of information about those incidents, as well as appropriate indemnities and incident support).
    • Regular testing and 'tabletop' simulation exercises.
    • Staff training and clear communications to parents eg around fee invoice fraud making it clear that the school will never request payment in certain ways.
    • Cyber insurance cover.
    • Developing and keeping up to date a response plan which is practical, tested, understood by senior management and available in case IT systems are offline.
  • Responding to an incident
    • Immediate containment and assessment using staff and/or outside resources who are suitably skilled in dealing with incidents and able to act quickly.
    • Awareness of the personal data breach reporting regime under the UK GDPR: ie reporting to the ICO, where feasible, within 72 hours of becoming aware of the breach where a risk to individuals is likely and, where there is a high risk, notifying affected individuals without undue delay. Sometimes it is appropriate to provide an initial report to the ICO and then a fuller/updated notification once further investigations have been carried out.
    • Contact with a local police force who can assist – particularly important when there are obscene images of pupils where storing and/or copying those images could be a criminal offence in itself.
    • PR and communications management.
    • Post-incident review and 'lessons learned' exercise.

How we can help

We have extensive experience of helping schools to navigate risks in this area, helping identify the real priority risks while giving pragmatic advice and reassurance where risks can be quickly and suitably mitigated.

We can take part in incident planning and policy development (including assisting with staff training and school leadership crisis simulation) as well as advise on the post-incident actions that should be taken, including ICO reporting and communications strategy. We also work closely with specialists in the data forensics/IT security and crisis communications fields to ensure a fully joined-up and coordinated approach. And we are used to working with insurers in a way that maximises the cover that you will receive.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, December 2025

Want to know more?

Contact us

About the authors

Owen O'Rorke lawyer photo

Owen O'Rorke

Partner

Owen is an IP and data protection specialist with particular interest in trade mark and copyright, and considerable experience in both contentious and advisory contexts. His sector interests include publishing, retail and tech businesses, as well as having numerous clients in entertainment (film and music), sport and education.

Owen is an IP and data protection specialist with particular interest in trade mark and copyright, and considerable experience in both contentious and advisory contexts. His sector interests include publishing, retail and tech businesses, as well as having numerous clients in entertainment (film and music), sport and education.

Email Owen +44 (0)20 3375 7348
Ian De Freitas lawyer photo

Ian De Freitas

Partner

Ian has nearly 35 years' experience as a commercial litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. Ian’s sector experience includes retail, hotels and leisure, financial services, technology, betting and gaming, sport, media and publishing, education and private wealth.

Ian has nearly 35 years' experience as a commercial litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. Ian’s sector experience includes retail, hotels and leisure, financial services, technology, betting and gaming, sport, media and publishing, education and private wealth.

Email Ian +44 (0)20 3375 7471
Sam Talbot Rice lawyer photo

Sam Talbot Rice

Senior Associate

Sam provides practical and focused advice on business-critical areas across the fields of data protection, intellectual property and commercial contracts.

Sam provides practical and focused advice on business-critical areas across the fields of data protection, intellectual property and commercial contracts.

Email Sam +44 (0)20 3375 7222

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top