- Tammy Buchanan
- Information/Cyber Security
When Cyber Risk Becomes Reality: Lessons from the Powys School Attack
What Happened?
On 4 June 2026, Powys County Council confirmed that a cyber security incident had resulted in the theft of personal data belonging to pupils, staff, and others connected to schools in mid-Wales. Thirteen schools were affected by the wider incident, with personal data specifically taken from at least one. The attack was first identified in April 2026 and, according to the council, was “quickly contained”, but not before unauthorised access to personal data had already occurred.
Due to the sensitivity of the breach, the council has not publicly named the affected schools, confirming only that all those impacted are being contacted directly. Work to understand the full scope of the incident is ongoing, with specialist cyber security experts supporting the investigation. The cause of the attack has not yet been disclosed, and the full financial and reputational cost remains unknown.
Councillors Raiff Devlin and James Gibson-Watt issued a joint statement acknowledging the incident would be “very concerning for parents, staff and the wider community,” and emphasised that the safety and wellbeing of pupils and staff remained the council’s absolute priority.
Reassuringly, all schools remained open and operational throughout, with no evidence of disruption to educational provision.
This Is Not an Isolated Incident
The Powys attack is a reminder that schools are not low-value targets. The latest figures make sobering reading. The Cyber Security Breaches Survey 2025/2026, published on 30 April 2026 by DSIT and the Home Office, found that 73% of secondary schools had identified a breach or attack in the past 12 months — up sharply from 60% the previous year. Primary schools fared better, though they are far from immune. The education sector is now consistently ranked among the most targeted industries in the UK.
For the full breakdown and what it means in practice for schools, see our article: The Cyber Security Breaches Survey 2025/2026 – Key Advice for Schools.
This is not surprising. Schools hold large volumes of sensitive data: pupil records, SEND information, safeguarding notes, staff personal details, financial data, much of which qualifies as Special Category data under UK GDPR. That makes a breach in a school setting potentially far more serious than in many commercial organisations.
As we also covered in May 2026, the DfE’s launch of a dedicated Cyber Security Hub was a direct response to this growing threat. Our article What School Leaders Need to Know About the DfE’s New Cyber Security Hub covers what that hub offers and why school leaders should be using it now.
Is Cyber on Your Risk Register? It Should Be.
Here is a question for every governing board and trust board to ask at its next meeting: Is cyber security on our risk register?
The DfE’s Cyber Security Standards for Schools and Colleges are clear. A central requirement is that schools conduct a cyber risk assessment every year, reviewed every term, feeding directly into a risk register and business continuity planning. That assessment should cover hardware, software, data, user behaviour, and supplier risk. Our free DfE Digital Standards Overview summarises the key obligations in plain language — useful for governors who want a quick briefing document.
The DfE’s Digital and Technology Standards also emphasise governance as a core pillar, not just IT. This means:
• Governors and trustees must ask informed questions about cyber risk, not leave it solely to IT teams
• At least one governor or trustee should complete cyber security training (referenced in the DfE Governance Guides at sections 7.7.3 and 7.9.3 for maintained schools and academy trusts respectively)
• Multi-academy trusts must ensure a consistent approach across all schools: a weakness in one setting creates risk for the whole trust
For MATs, the DfE expects cyber security arrangements to be reflected in the risk register, the audit and risk committee’s oversight, and the annual governance statement. If your MAT’s risk register does not currently carry cyber as a risk, that is itself a governance gap.
What Should Boards Do Now?
The following questions are appropriate for any governor, trustee, or headteacher to raise following the Powys incident.
Immediate questions for the board agenda:
• Is cyber security on our risk register, with a current risk rating and named owner?
• When did we last conduct a cyber risk assessment? Has it been reviewed this term?
• Do we have an incident response plan? Has it been tested?
• Are all staff accounts protected by multi-factor authentication (MFA)? (This is mandatory under DfE standards.)
• What personal data do we hold, and how is it secured?
• Do we have a data breach response procedure, and does our DPO know their role in it?
For MAT boards and audit committees:
• Is cyber security risk reviewed consistently across all schools in the trust?
• Are we providing centralised support and oversight to prevent weaker settings creating trust-wide vulnerability?
• Does our annual governance statement reflect our cyber security posture honestly?
The Regulatory Picture Is Tightening
The DfE updated its Cyber Security Standards in January 2025, introducing mandatory Cyber Essentials certification for colleges and special post-16 institutions, and strongly encouraging all schools to adopt the same. Full implementation is expected across the sector during 2025/26.
The forthcoming Cyber Security and Resilience Bill will further modernise the UK’s cyber security landscape and is expected to affect schools directly and indirectly. Ofsted, too, is increasingly attentive to information governance: a school or trust unable to demonstrate it has addressed the DfE cyber standards risks adverse findings under the “well-led” judgement in inspection.
The message is clear. Cyber security is no longer an IT issue to be managed quietly in the background. It is a governance issue, a data protection issue, and, given the nature of the data schools hold about children, a safeguarding-adjacent issue.
A Note on Data Protection Obligations
Where a cyber attack results in a personal data breach, schools and trusts have legal obligations under UK GDPR. Depending on the nature and severity of the breach, this may include:
• Reporting to the ICO within 72 hours of becoming aware of the breach
• Notifying affected individuals where the breach is likely to result in a high risk to their rights and freedoms
• Documenting the breach in the school’s internal breach log, regardless of whether ICO notification is required
The Powys incident, involving the personal data of children, is precisely the kind of breach that is likely to require ICO notification and direct communication with affected families. Schools should ensure their DPO is involved from the outset of any suspected incident.
Further Reading from Data Protection Education:
• The Cyber Security Breaches Survey 2025/2026 – Key Advice for Schools (1 May 2026)
• What School Leaders Need to Know About the DfE’s New Cyber Security Hub (12 May 2026)
• Can You Use AI Safely in Schools? (19 May 2026)
• DfE Digital Standards Overview – Free Download
• What the Data (Use and Access) Act Means for Schools (27 May 2026)
For support with cyber security from a data protection perspective, including DPIA templates, breach response procedures, and governor briefings, contact Data Protection Education:
Sources: Cambrian News, 4 June 2026; Cyber Security Breaches Survey 2025/2026 (DSIT/Home Office, 30 April 2026); DfE Cyber Security Standards for Schools and Colleges.