Three UK Education Cyberattacks In Ten Days And The DUAA Complaints Duty Switches On This Friday: What Schools, Charities and businesses Should Do Next

Three UK education organisations announced cyber incidents in the ten days before this article went up. On 4 June 2026, Powys County Council confirmed an intrusion affecting systems used by 13 schools, with personal data taken from one of them. On 10 June, Great Marlow School in Buckinghamshire closed for most pupils after malware was found on its ICT systems, with only Year 11 and Year 13 attending for external exams. On 12 June, the University of Nottingham confirmed that the ShinyHunters extortion group — the same actor behind last month's Canvas LMS leak — had taken roughly 40 GB of student and alumni data covering its campuses in England, Malaysia and China. The Have I Been Pwned entry that followed put the unique-email count at around 455,000.

Four days after that, on Friday 19 June, the new data protection complaints duty under the Data (Use and Access) Act 2025 switches on for every UK controller. Every parent, student, donor, customer or former staff member whose data was caught in any of these incidents will, from that morning, have a statutory right to lodge a formal complaint with the organisation that held the data — and the organisation will have a 30-day clock running from the day after each complaint arrives. The three news anchors and the Friday deadline land in the same week on purpose: the regulator and the threat actors are reading the same calendar.

For ReadyToday's audience — schools, multi-academy trusts, charities, councils and the small and medium-sized businesses that sit in the supply chains of all of them — the practical question is not whether any of this could happen to them. It is whether the response muscles are wired up before the next 10-day news cycle plays out somewhere else.

What actually happened in the past ten days

The Powys disclosure on 4 June described an intrusion originally identified in April that had been contained but had taken personal data from one school. None of the 13 schools closed. The council declined to name the affected school, citing the sensitivity of the breach, and confirmed individuals were being contacted directly. That pattern — quiet quarter in April, public disclosure in June, named-individual notification trickling out for weeks — is the typical small-organisation incident timeline. The forensics take time, the legal review takes time, and the disclosure window under Article 33 of UK GDPR has to be navigated alongside the parent and staff communications.

The Great Marlow School closure on 10 June was a different shape: a same-day decision to take most students offline while specialist responders investigated. The headteacher's statement confirmed only external exams were running on site, that internal exams for Year 10 and Year 12 had been postponed, and that the school could not use its normal email system to talk to parents. That last detail is the one that catches every small organisation off guard in the first 24 hours: when the systems that hold the data are also the systems that hold the contact list, telling people what is happening becomes its own incident.

The University of Nottingham confirmation on 12 June was the largest of the three by data volume and the easiest to map. ShinyHunters' entry point was CVE-2026-35273, a pre-authentication remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools rated 9.8 on the CVSS scale. Mandiant attributed the campaign to a financially motivated cluster it tracks as UNC6240. Around 300 PeopleSoft instances across more than 100 organisations were touched between 27 May and 9 June, two weeks before Oracle issued its out-of-band advisory. Sixty-eight per cent of the named victims were in higher education. The Nottingham data dump that followed contained names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and billing and payment records.

All three incidents share the same DNA as the stories on this blog over the past two months. The supplier-cascade pattern that <a href="/resources/blog/gchq-moment-of-consequence-2026-what-uk-schools-charities-smbs-should-do">GCHQ's Annual Lecture</a> warned about in May has now produced a worked UK example: an Oracle product, exploited at scale, with the impact falling on universities and the people whose data those universities hold. The ShinyHunters playbook recovered from the <a href="/resources/blog/canvas-lms-breach-2026-what-uk-schools-universities-smbs-should-do">Canvas LMS breach</a> a month ago — find a fat target in education, take what you can, publish, demand payment — has been run again. And the Microsoft June 2026 Patch Tuesday, released on the same day Great Marlow closed, brought the biggest single batch of Microsoft fixes ever shipped, including critical remote code execution flaws in Outlook and Word that trigger through the preview pane.

The next four days: what to put in place before Friday 19 June

Three jobs need to be finished before close of business on Thursday 18 June.

The first is the DUAA complaints page. The detail of what it has to contain is in <a href="/resources/blog/data-protection-complaints-19-june-2026-what-uk-schools-charities-smbs-should-do">last fortnight's piece</a>: a public-facing page with an electronic form and at least one alternative route, a named owner, an acknowledgement template, a simple log, and a brief for the people who answer the phone and the inbox. If that page is not live by Thursday evening, it needs to go live on Friday morning before anything else. Every individual caught in a Powys-style incident — including incidents that have not happened yet — now has a statutory route into your organisation, and the 30-day acknowledgement clock starts on the day after they use it, regardless of weekends and holidays.

The second is the June Patch Tuesday. Microsoft shipped fixes for around 200 vulnerabilities on 10 June, including three publicly disclosed zero-days and a dense cluster of critical remote code execution flaws in Outlook, Word, the Windows HTTP Protocol Stack, Remote Desktop Client, Hyper-V and BitLocker. The Outlook and Word fixes (the CVE-2026-45456, CVE-2026-45458 and CVE-2026-47635 cluster) are the priority for almost every ReadyToday-sized organisation: the preview pane is an attack vector, which means a single malicious attachment opened in the wrong inbox is enough. If a school or charity laptop or a desktop running self-hosted Outlook has not been patched since 10 June, that is the job. Anyone running a Hyper-V host should patch it the same week.

The third is a one-question check with the IT provider: does anything in our stack, or in our suppliers' stacks, run Oracle PeopleSoft or PeopleTools? Most ReadyToday-audience organisations will not — PeopleSoft is an enterprise HR and finance system that sits behind universities, large councils, big charities and mid-market businesses. But the supplier-cascade question is the one to put in writing on Tuesday 16 June, before the news cycle moves on, and with a request for an explicit confirmation that any PeopleSoft surface has been patched and inspected for indicators of compromise dated 27 May to 9 June.

Two adjacent jobs sit alongside the Patch Tuesday work this week. Confirm that <a href="/resources/blog/ncsc-passkeys-april-2026-what-uk-schools-charities-smbs-should-do">passkeys</a> are on the new complaints inbox and any administrator account that can read the complaints log: that inbox is now, by statute, a high-value target. And make sure the Friday morning desk-check list explicitly includes the complaints page link and a test submission, the same way a fire-alarm test gets walked once a week.

The next 30 days: turn the response muscle into something repeatable

By mid-July the goal is to have rehearsed the response to a Powys-shaped incident at least once with the people who would actually do it.

Run a tabletop with the supplier story baked in. Pick a hypothetical: the school's MIS supplier, the charity's CRM provider, the SMB's online booking platform. Walk through the first 24 hours — who calls who, what gets unplugged, how parents and donors and customers are told when the normal email system is gone, who briefs the trustees or directors. The shape is the same as the supplier-incident tabletop recommended after the <a href="/resources/blog/one-year-on-from-ms-supplier-risk-what-uk-smbs-charities-schools-should-do">M&S, Co-op and Harrods stories</a> a year ago. The DUAA layer is new: every individual affected has a complaints route into your organisation that the tabletop now has to model.

Sign the organisation up to the NCSC Early Warning service if it is not already, and align cyber ownership at board level with Action 1 of the <a href="/resources/blog/cyber-resilience-pledge-2026-what-uk-smbs-charities-schools-should-do">Cyber Resilience Pledge</a>. The trustees and governors and directors are also the controller for DUAA purposes — they need cyber and data protection on the same dashboard, not on two separate ones.

Map third-party software properly. Not just the SaaS the organisation buys, but the SaaS those suppliers buy. The PeopleSoft story is the lesson here: a vulnerability in a system most ReadyToday-audience organisations have never directly heard of can still be the route by which a parent's data ends up on a leak site. Ask the top five suppliers for a list of the systems they use to process your data, and a named incident contact who will answer the phone in the first hour.

The next 90 days: lock the routines in and make the board pack reflect them

By mid-September the routine work needs to be invisible.

Put a standing quarterly number on the board pack: complaints received, average days to acknowledge, number escalated to the ICO, themes, and a one-line note on supplier incidents touched in the quarter. The Cyber Resilience Pledge's Action 1 (board-level cyber ownership) is the home for it. The Pledge's Action 2 (NCSC Early Warning) and Action 3 (Cyber Essentials across the supply chain) become the standing tests the board asks its IT lead about each quarter.

Refresh the supplier-due-diligence questionnaire. New rows: which enterprise systems (PeopleSoft, Workday, Oracle E-Business Suite, SAP) sit behind the supplier's service to you, when they were last patched, whether the supplier has run an indicator-of-compromise sweep for CVE-2026-35273 across the May–June 2026 window. The same questionnaire should ask about AI feature defaults — the <a href="/resources/blog/agentic-ai-ncsc-five-eyes-2026-what-uk-schools-charities-smbs-should-do">agentic AI piece</a> from May explained why these now have to be a procurement question.

And run a second tabletop in late August, this time on the DUAA complaints process itself. Three plausible complaints — one bundled with a subject access request, one arriving by phone on the August bank holiday, one from a former employee — walked end to end. Time the acknowledgement. Walk the investigation. Write the outcome. Note where the process bent and fix it before September.

Where this leaves the next news cycle

A week from now, the Powys, Great Marlow and Nottingham stories will be one or two news cycles old, and a new education incident or supplier-driven breach will be on the boards. The DUAA complaints duty will be live, and the ICO will have begun receiving the first wave of escalations from organisations whose complaints processes turned out to exist only on paper. The Patch Tuesday CVEs will be sitting in NCSC's vulnerability feeds, with the laggards being the easy targets for the next month. None of this is speculative.

The five practical takeaways:

• Three UK education cyber incidents in 10 days — Powys, Great Marlow and Nottingham — and the DUAA data protection complaints duty switching on this Friday 19 June 2026 are the same story; treat them that way.
• ShinyHunters used a pre-auth Oracle PeopleSoft remote code execution flaw (CVE-2026-35273) against more than 100 organisations between 27 May and 9 June, with 68 per cent of named victims in higher education. Ask your IT provider in writing whether anything in your stack or your suppliers' stacks runs PeopleTools.
• The June 2026 Patch Tuesday is the biggest Microsoft has ever shipped. Prioritise the Outlook and Word preview-pane RCEs (CVE-2026-45456, CVE-2026-45458, CVE-2026-47635) on every desktop and laptop, and patch any Hyper-V host the same week.
• Stand up the DUAA complaints page before close of business Thursday 18 June with an electronic form, an alternative route, a named owner, the acknowledgement template, and a one-line note that complaints will be acknowledged within 30 days and may be escalated to the ICO.
• Run a 30-minute tabletop in the next four weeks using one of the three stories as the worked example, with the new statutory complaints route modelled in. Cheap rehearsal beats expensive improvisation.

If you would like a second pair of eyes on the complaints page, the patch position and the supplier list before Friday, that is exactly the kind of short, time-bounded job our <a href="/services/cybersecurity-resilience">cybersecurity and resilience</a> work is built for. A <a href="/contact/discovery">30-minute discovery call</a> will get you a one-page plan that covers the next four days, the next 30 days and the next 90 days.