Case File: The Cyber Attack That Locked Every School in Northern Ireland
Monday 6 April 2026
On Thursday 2 April 2026, every school in Northern Ireland lost access to its digital infrastructure in one stroke. Not some schools. Every single one.
Approximately 300,000 pupils and 50,000 teachers were locked out of their email, their coursework, their revision materials, their teacher guidance documents. All of it: gone. The network that holds it all, C2k, had been hit by a cyber attack. The Easter bank holiday had just started. GCSE, AS-level, and A-level exams were weeks away.
This piece is not speculation. Everything here is sourced, confirmed, or clearly flagged as unknown. And there is quite a lot in that last category, which is itself part of the story.
File One: The System
To understand what happened, you first need to understand what C2k is. Most people outside Northern Ireland will not have heard of it. That is worth changing.
C2k, originally named “Classroom 2000,” is the centralised information and communications technology network that serves every grant-aided school in Northern Ireland. Not most schools. Every grant-aided school. It provides internet connectivity, email, cloud storage, the LearningNI virtual learning environment, device management, the C2k Media Library, administrative systems, and a secure communications platform called C2k Exchange. It manages over 80,000 devices across roughly 1,060 schools.
The Department of Education Northern Ireland has invested more than £632 million in C2k since the programme began in 2000. It was originally co-funded by the EU’s Building Sustainable Prosperity programme.
The network is operated under contract by Capita Technology and Software Solutions, a subsidiary of Capita plc, on behalf of the Education Authority Northern Ireland (EA), the statutory body that oversees education provision across the region.
That structural arrangement matters. C2k is not just a service. It is the singular, centralised, non-redundant digital backbone of an entire education system. There is no parallel system. There is no opt-out. When C2k fails, the whole of Northern Ireland’s school IT fails with it.
That is a design decision. Someone made it. Someone continues to sign off on it. Those people are worth knowing.
File Two: The Sequence
Here is what we can confirm happened, in order.
Thursday 2 April. Schools received a message from the EA stating that, as part of work to manage an “IT security issue,” a network-wide password reset would be carried out for all users. No further detail was given at this stage. The reset locked every student and teacher out of their accounts simultaneously. The EA did not use the phrase “cyber attack” in this initial communication.
Friday 3 April (Good Friday). The EA published a statement on eani.org.uk confirming the incident was a cyber attack. The statement said: “As soon as we became aware of the incident, the system managers, Capita, took immediate steps to contain the issue and begin a full investigation.” The EA confirmed it was engaging with the Information Commissioner’s Office (ICO) and “relevant authorities.” It acknowledged that the investigation was “at an early stage” and that it could not yet confirm whether any personal data had been affected.
Also on Friday, the EA and Capita began resetting passwords, prioritising post-primary schools and exam-year pupils.
Saturday 4 April. The EA issued an update describing “positive progress,” saying teams had worked “around the clock to rapidly develop and test a safe and secure solution.”
Sunday 5 April (Easter Sunday). The EA confirmed it was continuing to “make good progress,” restoring access starting with post-primary schools. Sullivan Upper School in Holywood confirmed its senior staff had regained access. Principal Craig Mairs told parents that each individual account would need its password reset manually, describing this as “a very significant task,” and announced the school would open on Easter Monday for Years 11 to 14 to assist exam pupils directly.
Jenny Lendrum, principal of Methodist College Belfast, told BBC Northern Ireland that pupils could not access online revision materials, with more than 800 students due to sit public examinations in the coming weeks. Nick Mathison, chair of the Stormont Education Committee, said establishing whether a data breach had occurred was the priority and that those potentially impacted needed to be communicated with quickly.
Monday 6 April (Easter Monday). No further public update from the EA at time of writing. Recovery work is ongoing. The investigation is active.
That is the confirmed timeline. Now let us look at what those facts actually tell us.
File Three: Reading the Statements
The EA and Capita’s public communications have been measured. Polite. Notably careful.
Consider the specific phrase the EA used on Good Friday: the investigation is “at an early stage” and the EA “cannot yet confirm whether any personal data has been affected.”
That sentence is doing a lot of work. It is not saying no data was accessed. It is not saying the systems were merely disrupted. It is saying the forensic picture is incomplete. That is either genuine uncertainty, which is understandable three days into a live investigation, or it is the kind of language organisations use when they suspect something serious and are not yet ready to say so publicly.
Under UK GDPR, an organisation has 72 hours from becoming aware of a qualifying personal data breach to notify the ICO. The EA confirmed ICO engagement on Friday 3 April. That clock started ticking, at the latest, when the attack was first detected on Thursday 2 April.
As of the time of writing, the ICO has issued no public statement about this incident. That is not unusual: the ICO does not typically comment publicly until an investigation is concluded. But its absence from the public conversation is worth noting, not as evidence of anything, but as a reminder that a regulatory process is running in parallel to the EA’s recovery operation.
The EA’s reference to “relevant authorities” is also worth examining. It has not named the NCSC. It has not confirmed PSNI involvement. These may be deliberate omissions for operational security reasons during an active investigation, which would be entirely legitimate. Or they may reflect the actual scope of engagement. We do not know which.
What we do know is that the EA’s communications have consistently prioritised recovery messaging over disclosure. That is a reasonable operational choice. It is not the same as transparency.
File Four: The Timing
Kian Hawes is 14 years old and serves as education officer for the Secondary Students Union of Northern Ireland. He told the media that teachers had been encouraging students to use Easter specifically for catching up on revision, and that the C2k outage had “hindered students’ ability to revise.”
That is a precise, accurate description of a real harm, delivered with more clarity than most corporate communications manage.
Easter break is not arbitrary timing for exam students. It is the last sustained uninterrupted revision window before study leave and the exam season itself. Teachers had spent weeks directing pupils toward digital resources on C2k: revision materials uploaded throughout the academic year, coursework drafts saved to cloud storage, teacher-prepared guides and past paper walkthroughs. None of that was accessible.
The EA acknowledged this directly in its Friday statement, apologising specifically to “pupils who may be preparing for exams or completing coursework during the Easter period.” What it does not do is answer the question of whether the timing was coincidental.
Attackers targeting education systems sometimes choose term boundaries and holiday periods deliberately. Reduced staff monitoring, skeleton IT coverage, and the window before services resume can all work in an attacker’s favour. Easter 2026 offered all three. Whether the attackers here were opportunistic or strategically timed this attack is unknown. The question is legitimate and the investigation should address it.
File Five: The Capita Context
Capita Technology and Software Solutions manages the C2k contract. Capita plc, its parent, is a significant outsourcing provider to the UK public sector. That is relevant context for this incident, not as a verdict, but as background that any investigation will need to examine.
In March 2023, Capita suffered a Black Basta ransomware attack that led to the personal data of 6,024,221 individuals being compromised. That data included home addresses, National Insurance numbers, passport scans, bank account details, and biometric data belonging to pension scheme members and individuals across Capita’s public sector contracts.
The ICO subsequently fined Capita £14 million for failures in its information security arrangements. Investigators found that at the time of the 2023 attack, Capita had only one Security Operations Centre analyst per shift. The breach cost Capita £25.3 million in net losses and resulted in a High Court group action lawsuit involving over 5,000 claimants, with as many as 90 downstream organisations reporting separate data breaches as a consequence.
There is no confirmed connection between the 2023 Capita breach and the April 2026 C2k attack. No source has established that the earlier incident directly compromised C2k systems. Making that link without evidence would be wrong.
What is fair to say is this. Capita was fined £14 million three years ago for inadequate security infrastructure across its public sector contracts. It continues to manage the contract for a network serving 350,000 people in Northern Ireland. The questions that flow from that are obvious. Were the lessons of 2023 applied to the C2k contract? What security requirements does the EA’s contract with Capita actually specify? When was the last independent security audit of C2k’s infrastructure?
These are not hostile questions. They are the questions any responsible procurement authority should be able to answer. The EA should be asked them directly, and the answers should be made public.
File Six: What We Do Not Know
Good investigation is partly an exercise in honest cataloguing of gaps. Here is what remains officially unknown as of Monday 6 April 2026.
The attack type. The EA has used only the phrase “cyber attack” in all public communications. Ransomware, distributed denial of service, credential compromise, unauthorised access, data exfiltration: none of these have been confirmed or ruled out.
Whether personal data was accessed. The EA has explicitly stated it cannot yet confirm this. The personal data held across C2k includes children’s school records, teacher credentials, and administrative data for 1,060 schools. If any of that data was accessed or exfiltrated, the implications for ICO enforcement and individual notification obligations are significant.
Who is responsible. No threat actor has claimed this attack. No ransomware group has listed the EA or C2k on known leak sites as of this writing. Groups sometimes wait days or weeks before publishing. Attribution may not be established quickly, if at all.
Whether a ransom demand was made. The EA has not addressed this.
The full scope of systems affected. The EA has not disclosed whether any administrative systems holding sensitive data beyond the educational platform were compromised.
Every one of these unknowns will eventually have an answer. The question is whether those answers will be made public, when, and by whom.
File Seven: The Structural Problem
The C2k attack is a specific incident. It is also a symptom of something broader.
The decision to run an entire education system’s digital infrastructure through a single centralised network operated by a single private sector contractor is not unique to Northern Ireland. It is a common pattern across UK public sector IT. Centralised procurement, single-vendor contracts, and monolithic legacy networks have been the standard model for decades. They offer economies of scale and administrative simplicity. They also create catastrophic single points of failure.
When C2k goes down, there is no fallback. There is no parallel system. There is no local alternative for any individual school to use. The whole thing stops, simultaneously, for every school, every pupil, every teacher. That is not a cyber security problem. That is an architecture problem. The cyber attack exposed it. It did not create it.
The Stormont Education Committee has indicated it will seek answers. The ICO’s investigation will examine data protection compliance. But the structural accountability question, who decided this architecture was acceptable risk, and whether they were right, sits above both of those processes. None of that helps the Year 13 student in Derry who cannot access four months of revision notes on a Sunday afternoon in April.
How to Turn This Into a Competitive Advantage
Every business that relies on a single vendor for critical digital infrastructure should look at what happened in Northern Ireland on 2 April and ask a direct question: if my equivalent of C2k went down today, what would my business actually be able to do?
Document your single points of failure now, before an incident forces you to. Walk through your critical systems and identify which ones have no fallback. Email provider, cloud storage, accounting software, CRM: if any one of these goes down and you have no workaround, you have the same structural vulnerability the EA had.
Use vendor security requirements as a differentiator in client conversations. If you can demonstrate to clients that your suppliers are contractually required to meet security standards, independently audited, and covered by specific breach notification timelines, you are offering something most of your competitors are not. That is a procurement advantage in an environment where supply chain risk is increasingly on buyers’ minds.
Build and publish your resilience story. The businesses that come out of incidents like this with their reputations intact are the ones that had a plan and executed it visibly. Document your resilience posture. Share it with clients. Reference it in tender responses.
How to Sell This to Your Board
The Northern Ireland attack is not abstract. It shut down the entire education infrastructure of a region in one action. Three arguments that will land with your board:
Single-vendor dependency is a quantifiable risk. Ask your board to calculate the cost of your primary IT provider being unavailable for four days. Cost of lost productivity, missed client deliverables, reputational damage, and potential regulatory exposure. Put that number in front of the people who approve the budget for redundancy and backup infrastructure. The conversation changes when the risk has a number attached.
Your supplier’s security failure is your GDPR problem. If personal data is held by a third party on your behalf, a breach of that data is your breach. The ICO’s £14 million fine against Capita in 2023 was paid by Capita. The reputational damage landed on both Capita and its clients. Your contract with a supplier does not transfer your regulatory liability. It only determines who pays for the consequences.
Cyber resilience is a competitive differentiator, not just a cost. Being able to demonstrate to clients and partners that you have documented vendor security standards, tested fallback capabilities, and an incident response plan that does not depend entirely on a single contractor is a genuine advantage. Trust is increasingly hard to establish and easy to lose. Resilience is now a selling point.
What This Means for Your Business
-
Audit your vendor dependencies this week. List every supplier that holds your data or runs a system you depend on. For each one: what is their published security standard, when were they last audited, and what happens to your business if they go down for 72 hours?
-
Check what your contracts actually say about security. Most SMB supplier contracts say very little. At minimum, your contracts should specify: how quickly a supplier must notify you of a breach, what security standards they are required to maintain, and what your rights are if they fall short.
-
Build a manual fallback for your most critical processes. Not everything can be mitigated with technology. Identify the three or four things your business absolutely must be able to do if your primary IT systems are unavailable, and document how you would do them without those systems.
-
Run a tabletop exercise using this scenario. Gather your key people. Tell them: “Our primary IT provider has been hit by a cyber attack. All systems are down. It is Easter Friday. We have no access to email, our CRM, or our file storage. What do we do?” The gaps that emerge from that conversation are your action list.
-
Revisit your cyber insurance policy. Check specifically whether your policy covers losses caused by a supplier’s breach, not just a direct attack on your own systems. Many policies do not. If yours does not, that is a conversation to have with your broker.
Related posts:
- North Korean IT Workers Are Already Inside Your Company
- ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked
- Cyber Insurance Claims Are Being Denied: And It’s Your Fault
| Source | Article |
|---|---|
| Education Authority NI | Update on Cyber Security Incident |
| ITV News UTV | IT system for Northern Ireland schools targeted by cyber attack |
| Belfast News Letter | Cyber attack hits IT system for Northern Ireland schools |
| Belfast News Letter | Education Authority making positive progress after cyber attack |
| The Irish News | Northern Ireland schools cyber attack: what we know |
| Derry Journal | Cyber attack hits IT system for all schools in the North |
| Wikipedia | C2k: programme background and scope |
| Computer Weekly | Black Basta ransomware attack to cost Capita over £15m |
| Computer Weekly | ICO fines Capita £14m after ransomware caused major data breach |
| DataBreaches.net | UK school IT system targeted in cyber attack ahead of exam season |
| Department of Education NI | ICT in schools: C2k programme overview |