Every school in Northern Ireland runs on a single IT network called C2K. Email, Google Classroom, OneDrive, revision resources, internal communications: all of it flows through one system, managed by the Education Authority and operated by Capita. On Thursday, the EA disclosed that C2K had been targeted in a cyber attack. The response was a full password reset across the entire network, locking out every school, every teacher, and every pupil.

This happened during the Easter holidays. GCSE, AS, and A-Level exams start a few weeks after schools return.

BBC News reporting on the C2K cyber attack on Northern Ireland's school IT network, with the headline 'School IT system targeted in cyber attack ahead of exam season'

What happened to C2K

The EA hasn’t published full details, which is standard practice during an active investigation. What we know: the attack triggered a complete password reset across the school network, Capita is running security tests, and the system is currently unavailable. The EA told the BBC it is “engaging with the Information Commissioner’s Office and relevant authorities” and that it cannot yet confirm whether personal data has been affected.

That last point matters. C2K handles data for hundreds of thousands of pupils across Northern Ireland. If personal data was accessed, every school in the region is potentially part of a data breach, regardless of their own security practices. The centralised model means one vulnerability can compromise everyone.

Why the timing is so damaging

Jenny Lendrum, principal of Methodist College Belfast, described the practical impact to the BBC. More than 800 of her pupils are due to sit GCSE, AS, and A-Level exams shortly after Easter. All of their revision resources, teacher-uploaded materials, Google Classroom content, and email are accessed through C2K. With the network down, none of that is available.

Kian Hawes, a 14-year-old pupil and education officer for the Secondary Students Union of Northern Ireland, put it simply: students who planned to use the Easter break for revision now can’t start. The pressure of lost preparation time is real, and it falls hardest on pupils who depend most on school-provided digital resources.

Schools have spent years moving materials online. That’s broadly the right direction. But this incident exposes the assumption underneath it: that the network will always be there when pupils need it.

Is C2K’s centralised model unusual?

Not really. Northern Ireland’s setup is more explicitly centralised than most, with a single provider covering every school. But variations of this model exist across the UK. Multi-academy trusts often run shared IT infrastructure across dozens of schools, with common authentication, shared tenancies in Microsoft 365 or Google Workspace, and centralised management through platforms like RM Unify or trust-wide Azure Active Directory. A successful attack on the trust’s core infrastructure would have a similar cascading effect.

Even standalone schools concentrate risk. A school that runs everything through a single Microsoft 365 tenancy with one global admin account and no offline fallback is, in a smaller way, making the same bet that C2K made: that one system will always be available.

The question isn’t whether your school’s infrastructure is identical to C2K. It’s whether you’ve thought about what happens when your primary platform goes down, not for an hour, but for days or weeks.

What schools should be thinking about

This isn’t about criticising the EA or Capita. Cyber attacks are increasingly common, and schools are frequently targeted. The National Cyber Security Centre has warned about this repeatedly. The real question is whether schools have planned for the aftermath.

Some practical things worth considering:

Offline access to critical materials. If revision resources exist only in Google Classroom or OneDrive, a network outage means they simply disappear. Encouraging staff to maintain downloadable copies of key documents, or providing revision packs in formats that don’t require authentication, gives pupils a fallback. It’s low-tech, but it works when the tech doesn’t.

Communication channels that don’t depend on the school network. If your email runs through the same system as everything else, you can’t use email to tell people the system is down. Schools with a separate communication platform, a text messaging service, or even a regularly updated school website hosted independently, have options that C2K schools didn’t.

Incident response planning. Most schools have a business continuity plan somewhere. Very few have tested what happens when their IT platform is completely unavailable for an extended period. Running a tabletop exercise (“C2K is down for two weeks starting the Monday before exams; what do we do?”) costs nothing and might surface gaps before they become real problems.

Data breach readiness. The EA is engaging with the ICO, and the investigation is ongoing. If your school uses a centralised platform and that platform is compromised, you may need to respond to a data breach that you didn’t cause and couldn’t have prevented. Understanding your responsibilities under UK GDPR before that happens is considerably easier than figuring it out in the middle of a crisis.

I’ve written before about the tension between making school data accessible and keeping it secure. The C2K incident is a different angle on the same problem: the more you centralise, the more efficiently things work in normal conditions, and the more completely they fail when something goes wrong.

This could happen anywhere

I genuinely feel for the schools, teachers, and pupils affected in Northern Ireland. Exam preparation is stressful enough without losing access to your revision materials during the break. The EA and Capita will resolve the immediate outage, and the ICO investigation will determine whether data was compromised.

But the structural lesson here applies well beyond Northern Ireland. If your school’s entire operation depends on a single network, a single provider, or a single platform, it’s worth asking: what’s the plan if that goes away tomorrow? Not because it will, but because the C2K attack shows that it can.