Why cybercriminals target schools - and what to do about it

Most cybercriminals are motivated by one thing: money. Some want to cause disruption or gain notoriety, but the majority are after financial gain, either by tricking schools into transferring funds or by stealing personal data to sell on.

That second motivation is what makes school cybersecurity so high-stakes. When criminals target your school's network, they're often after the personal information of your pupils, staff, and parents. Protecting that data is both best practice and a legal requirement under the UK GDPR.

In this blog, we'll look at why schools have become such an attractive target, why cybersecurity sits at the heart of data protection, and the practical steps your school can take to secure its data.

Why schools are a popular target

Schools hold large amounts of sensitive personal data, often manage significant budgets, and rely on a workforce that is rarely given the time or resources to focus on cybersecurity. For a criminal seeking a high-value, less-defended target, that combination is appealing.

The data inside a typical school system can include names, dates of birth, addresses, medical records, safeguarding notes, financial details, and contact information for hundreds or thousands of children and adults. On the dark web, that kind of information is worth a lot more than a stolen credit card number, because it can be reused for years without the victim noticing.

Schools also have a small window for downtime. A multi-day outage during exam season or a critical safeguarding event creates pressure to pay a ransom. Attackers know this and target schools accordingly.

Cybersecurity is a GDPR issue 

Because so much of what attackers steal is personal data, cybersecurity and data protection are two sides of the same coin. You can't protect children's information without protecting the systems it lives on.

The UK GDPR requires that personal data is processed securely, using appropriate technical and organisational measures. As attacks on schools increase, cybersecurity is one of the clearest ways to meet that obligation.

The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have published a set of GDPR security outcomes built around four aims:

• Manage security risk
• Protect personal data against cyber attack
• Detect security events
• Minimise the impact

Mapping your school's current practice against these four aims is a useful starting point. If you can't confidently say how you do each one, you've already found where to focus first.

Three ways to align cybersecurity and data protection in your school

Most schools treat cybersecurity and data protection as separate workstreams, often handled by different teams that rarely communicate with one another. That gap is where problems grow. Here are three small changes that close it:

1. Talk about them together. They aren't separate workstreams. When data protection comes up at SLT or governor meetings, include cybersecurity in the same conversation.

    

2. Train your data protection lead in cybersecurity. The overlap between the two roles is significant and growing. While it may not be their title, having a designated Data Protection Officer (DPO) who understands phishing, ransomware, and access control will spot risks far earlier.
   
   

3. Help staff understand what attackers are after. Vigilance feels abstract until someone explains that the target is the pupils' personal information. Once staff understand that, the importance of good habits becomes obvious.

   
   

None of these needs a big budget or a new system. They're cultural shifts, and they tend to pay off quickly once they're in motion.

What happens when something goes wrong

If a breach occurs and you need to report it to the ICO, one of the first things they'll ask is whether a cyber attack caused it and what measures you had in place.

Being able to answer that with confidence is not something you build overnight. It comes from doing the basics well over time: training staff, keeping software up to date, controlling who has access to what, and treating cybersecurity as part of your safeguarding culture rather than a separate IT problem.

Summary 

Cybercriminals target schools because schools have what they want: money, data, and small windows for downtime. The good news is that the same actions that protect your school's data also protect its money, reputation, and time. When cybersecurity and data protection are treated as one shared responsibility rather than two separate ones, your school becomes a much harder target. Start with the basics, get the right people talking to each other, and build from there.

Take the next step

Not sure where your school currently stands? Cyber score gives you a free, instant picture of your school's cybersecurity posture, mapped against the standards you're already expected to meet. It covers the areas the ICO and DfE expect you to be on top of, and gives you a clear set of next steps to work through.

Get started with cyber score here