"Upon discovering the incident, we immediately activated our incident response procedures and engaged external cyber breach attorneys and cybersecurity forensic experts to assist with the investigation and recovery process," Evanston Township High School (ETHS) said after a ransomware attack discovered on Sunday, June 7.
Evanston Township High School response and immediate actions
ETHS, located 14 miles north of Chicago, announced the school "won't reopen until Wednesday at the earliest" and that the closure also affects summer school, sports camps, and on-campus activities, all of which were canceled. The district said it engaged external cyber breach attorneys and cybersecurity forensic experts to investigate and recover systems, and that it is cooperating with the Federal Bureau of Investigation (FBI) as part of the ongoing investigation.
Operational impact: communications and online services offline
The district reported multiple operational interruptions. Phone systems are down and staff have limited access to email. Children and their families may not be able to access certain online resources — among them the Home Access Center, which is powered by PowerSchool. ETHS noted staff other than safety and operations workers were told to work from home, but that their work is constrained because they are locked out of the district's Google accounts and "other network systems, including eSchool."
The statement cautioned that specialists are working "to determine precisely what information may have been accessed or acquired and to restore normal systems operations as quickly as possible," language that, the reporting notes, suggests the institution may still be in the containment phase of remediation.
Investigation and attribution: FBI involvement, no public claim
ETHS confirmed cooperation with the FBI. As of the district's statement, no major ransomware group had claimed responsibility for the intrusion. The district is relying on external forensic teams and breach counsel to identify what data, if any, was taken and to guide restoration.
Powys, Wales incident and the broader education sector risk
The ETHS incident follows another education-sector breach disclosed June 4 that affected 13 schools in Powys, Wales. Powys Council set up an information page and said external specialists are investigating. The council said the attack affected "some school systems" and that personal data belonging to both staff and pupils was accessed, but it also said the compromised data appears to have been taken from only one of the 13 identified schools.
Powys Council repeatedly cited "the sensitive nature of the data" as the reason it would not disclose which schools were affected, how many individuals were affected, what types of data were accessed, or whether the incident involved ransomware or a named attacker. The council said the risk of identity fraud would vary by individual and confirmed all schools in the region remain open and that day-to-day safety and operations are not affected.
The story underlines a sector-wide dynamic the reporting highlights: education organizations store sensitive data that makes them attractive targets for financially motivated extortion. The Information Commissioner's Office reported that between 2022 and 2024, pupils were responsible for 57 percent of 214 school data breaches in the UK, often using stolen login details — a statistic the council and schools will likely consider as investigations proceed.
What this means for technologists, families, and school administrators
- Technologists and security teams: ETHS's engagement of external forensic experts and breach counsel illustrates the immediate priorities — containment, forensic analysis to determine what was accessed, and restoration of core systems (phones, email, Google accounts, student information systems such as eSchool).
- Families and students: some online services, including Home Access Center, are offline; summer programs and sports camps have been canceled; families should watch the district information page for updates and guidance on access to student records and attendance reporting.
- School administrators: the district's public steps — activating incident response procedures, retaining breach attorneys and forensic specialists, and notifying the FBI — reflect a sequence other schools may replicate when forced to balance operations, communications, and legal obligations after a breach.
ETHS closed with a direct appeal for patience: "We understand this situation is disruptive and appreciate your patience and flexibility," and promised that "Additional updates and instructions will be provided as they become available." For now, investigators and outside specialists are the named actors charged with determining what was taken and when, while families, staff and regional authorities wait for those findings.
