top of page
Search

EA confirms personal data breach at schools after cyber attack as teen arrested in PSNI investigation

  • Writer: Love Ballymena
    Love Ballymena
  • 2 hours ago
  • 5 min read

The Education Authority has confirmed that personal data linked to a small number of schools in Northern Ireland was compromised in a targeted cyber attack on the C2k school network, marking a major escalation in an incident that has already caused widespread disruption across the education system.


The development emerged on Wednesday 15 April, just hours after detectives from the PSNI’s Cyber Crime Investigation Team arrested a 16-year-old boy in connection with the ongoing investigation into the network intrusion.



The confirmation from EA today reveals not only an incident which caused operational disruption but also a serious data breach, with affected schools, staff and potentially pupils now facing the consequences of unauthorised access to personal information.


Education Authority confirms personal data accessed


In an update issued on Wednesday, the Education Authority said its ongoing forensic investigation had now established that the cyber attack was specifically targeted at a limited number of schools and is believed to have involved access to personal data.



The authority said:


“The ongoing investigation into the recent cyber incident has now confirmed that there was a targeted attack on a small number of schools which is believed to have compromised some personal data.”


It is the first formal confirmation that personal information was accessed during the breach.


Earlier public statements from the authority had said that, at that stage, there was no evidence of data being exfiltrated or corrupted.


The EA said its immediate priority has now moved to urgently contacting those directly affected.



It said:


“Our immediate priority is notifying the individuals and schools impacted by the attack. That process is being urgently progressed, guided by the final findings of the investigation and advice from the PSNI and the Information Commissioner’s Office.”


The involvement of the Information Commissioner’s Office underscores the seriousness of the breach and the potential implications for data protection compliance.


Breach discovered last Friday but withheld during live police operation


The Education Authority confirmed that forensic investigators informed officials on the afternoon of Friday 10 April 2026 that personal data had been specifically accessed.


According to the update, forensic experts identified “specific and targeted access of personal data”.



The EA said:


“We were informed on the afternoon of Friday, 10 April 2026. The forensic experts undertaking the investigation of the cyber-attack advised that there had been specific and targeted access of personal data.”


The authority said both the PSNI and the Information Commissioner’s Office were informed immediately following that discovery.


It said:


“We immediately informed the PSNI and the Information Commissioner’s Office of this development.”


The public was not informed at that stage because of the live police investigation.


Explaining the delay, the authority said:


“We are making details of the emerging situation public now, following an arrest by the PSNI. We were unable to make any public statement before this point, to avoid compromising police inquiries.”



That clarification is likely to be closely scrutinised by schools and families who had previously been told there was no evidence of compromised data.


Teenager arrested in Portadown as PSNI investigation intensifies


Earlier on Wednesday, detectives from the PSNI’s Cyber Crime Investigation Team arrested a 16-year-old male in the Portadown area.


Police said the arrest was made on suspicion of offences under Sections 1, 2 and 3A of the Computer Misuse Act 1990.


A PSNI spokesperson said:


“Detectives from the Police Service of Northern Ireland’s Cyber Crime Investigation Team arrested a 16-year-old male on suspicion of offences under Sections 1, 2 and 3A of the Computer Misuse Act 1990.”



The spokesperson added:


“The male was arrested earlier today in the Portadown area, Wednesday 15 April, and has since been released pending further enquiries. A follow-up search has taken place.”


The arrest forms part of the ongoing investigation into the cyber intrusion first reported on Thursday 2 April, when the C2k network was disrupted.


Authority says attack remains contained


Despite confirming that personal data was accessed, the Education Authority said system managers still believe the cyber incident has been contained.


Additional cyber security measures were deployed at the beginning of the month when the intrusion was first detected.



The authority said:


“It remains the assessment of our system managers that the cyber incident is contained. Additional security measures were deployed at the beginning of this month on detection of the incident.”


Officials added that intensive recovery work is continuing to restore all services across the schools network.


The statement said:


“Intensive work continues to ensure schools are fully reconnected to the C2k system and that all impacted systems return to normal.”


The EA said the forensic analysis has involved a “thorough and systematic review of extensive data across multiple systems”, indicating the scale and complexity of the investigation now under way.



Why earlier statements said there was no evidence of a breach


The Education Authority has also moved to explain why it previously stated there was no evidence that data had been compromised.


According to the authority, that reflected the expert assessment available at the time.


It said:


“Last week we were advised that the assessment at that point was that there was no evidence to date of data exfiltration or corruption - that was the basis for our statement at that time.”


The authority stressed that the position was always subject to change as forensic work continued.


It added:


“We also made it clear that investigations were ongoing and the situation would continue to be monitored.”


The latest forensic findings have now established that access to personal information did occur and that this took place before the additional security measures were deployed.


That timeline is likely to be a key focus for investigators and school leaders as they assess how the intrusion occurred and what information may have been affected.



Schools continue to face disruption


The cyber attack has already caused significant disruption for schools across Northern Ireland.


The C2k network, which underpins school email, logins and a range of core digital services, was temporarily taken offline as a security precaution.


Schools were later instructed to carry out full password resets and reconnection procedures before the start of term.


The Education Authority warned that schools failing to complete the required reset process risked having limited or no access to essential C2k services, including email and systems dependent on C2k credentials.


The disruption has been particularly concerning for pupils preparing coursework and examinations over the Easter period, with schools reliant on digital platforms for communication and access to learning resources.



Affected individuals to be contacted directly


The Education Authority said all individuals whose data has been compromised will now be contacted directly.


It said: “Individuals whose personal data have been compromised by this breach will be notified.”


The authority added: “We apologise sincerely for any concern this may cause and are making efforts to ensure they are informed as quickly as possible.”


The statement concludes: “In the meantime, please ensure you have reset your C2k password as instructed by your school.”


Further updates are expected as the PSNI investigation continues and forensic teams complete their analysis of the breach.




At a glance


  • Education Authority confirms personal data was compromised in targeted cyber attack

  • Attack affected a small number of schools in Northern Ireland

  • Breach was confirmed on Wednesday 15 April

  • Forensic experts identified data access on Friday 10 April

  • PSNI arrested a 16-year-old boy in Portadown

  • Teenager released pending further enquiries

  • Incident investigated under Computer Misuse Act 1990

  • C2k services across schools have been disrupted since 2 April

  • Affected individuals will be contacted directly

  • Password resets remain in place across schools


bottom of page