West Lothian Schools Cyber Attack
On Tuesday, 6 May 2025, early in the morning, West Lothian Council’s education network suffered a suspected ransomware attack. The breach forced teachers to disconnect devices, triggering a swift investigative response involving Police Scotland and the Scottish Government
Initially, officials reported no evidence of data theft or compromise of corporate or public council systems. However, by late May, the Council confirmed that a small percentage of educational network data—some “personal and sensitive” in nature—had indeed been stolen. The leaked files included correspondence and identification documents (e.g., driving licences), though crucial pupil records, financial details, and social work reports were stored elsewhere and remained intact
Who was affected
143 education sites: encompassing 13 secondary schools, 69 primary schools, and 61 nurseries.
A subset of schools—including Armadale Academy, Bathgate Academy, Broxburn Academy, Inveralmond, Linlithgow Academy, St Kentigern’s, West Calder High, and others—were confirmed to have had data compromised, including that of staff, parents, and possibly students
Immediate council response
Network isolation: The compromised education network was sealed from the rest of West Lothian Council’s systems.
Contingency plans: Despite the disruption, council authorities ensured all schools stayed open normally, and SQA exams were unaffected.
Prompt parental notification: Families received group emails and advice, urging vigilance against phishing and recommending password updates.
Targeted follow‑ups: Those most at risk—based on sensitivity of their data—were directly contacted to offer support
Ongoing investigation
With Police Scotland and the Scottish Government actively involved, the attack remains a “live criminal investigation”. The ransomware group Interlock later claimed responsibility, prompting the council to publicly confirm the data theft
Key lessons and recommendations
· Schools are high‑value targets - As seen in recent retail attacks (M&S, Co‑op, Harrods), ransomware is increasingly aimed at institutions with sensitive data and operational vulnerability
· Network segmentation works - Isolating the education network helped prevent a broader council-wide disruption.
· Preparedness pays - Existing contingency measures kept schooling and exams on track—a testament to proactive planning.
· Transparent, timely communication builds trust - Parents and staff were promptly informed and given advice without causing panic.
· Data classification matters - Separating pupil records, social work, and financial systems cushioned the impact of the leak
· Ongoing vigilance is vital - Advice included monitoring for phishing, updating passwords, and seeking support if impacted
While distressing, the West Lothian schools cyber‑hack offers a strong case study in incident preparedness, network segregation, and crisis communication. The swift rollback to “business-as-usual” mode, combined with honest public updates, helped maintain trust during exam season. But the breach should also be a wake‑up call—not just for schools in Scotland, but for educational networks across the UK—to invest further in robust cyber defences, staff training, and incident response plans.