Highly confidential documents from 14 schools have been leaked online by hackers, the BBC can reveal.
One of those was Pates Grammar School in Gloucestershire, targeted by a hacking group called Vice Society.
The documents, seen by the BBC, include children's SEN information, child passport scans, staff pay scales and contract details, taken in 2021 & 2022.
A spokesperson for Pates Grammar School said it took the security of its systems and data extremely seriously.
The Vice Society has been behind a high-profile string of attacks on schools across the UK and the USA in recent months.
It allegedly stole 500 gigabytes of data from the entire Los Angeles Unified School District, according to technology website Wired.
The FBI in America has already released an alert on the group's activities.
When data is stolen, Vice Society makes demands for money before leaking the documents if payment is not made.
The documents stolen from Pates Grammar School were comprehensive, with hackers taking documents using generic search terms.
One folder marked "passports" contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked "contract" contains contractual offers made to staff alongside teaching documents on muscle contractions.
Another folder marked "confidential" contains documents on the headmaster's pay, and student bursary fund recipients.
Alongside information from Pates, the BBC found confidential documents purporting to be from the following establishments on Vice Society's website.
Every school on this list has been contacted for comment.
Frances King said it hadn't notified parents and pupils, but the hack didn't affect teaching and it was reported to their IT company.
Lampton School issued a statement that read: "Teachers were aware of the breach but we did not inform them of the data that was stolen. The ICO did not tell us to notify the data subjects. We blocked remote access to all but a small number of staff with two-factor authentication, and all our passwords have been reset."
Mossbourne Federation said: "Parents, pupils, staff and all concerned were immediately notified and kept up-to-date during the recovery process. We have fully recovered from the cyber-attack and have returned to normal operations."
The De Montfort School declined to comment.
The School of Oriental and African Studies confirmed it was hacked in September 2022, with staff contracts and budget details leaked among some 18,680 other files.
"We notified staff and students of the incident, and while we were able to prevent the incident escalating, it resulted in a small, limited data breach of files on internal storage.
"The individuals affected have been contacted, and we are continuing to offer support as required," a spokesperson said.
Hackers leaked the information on the dark web, a section of the internet often used by criminals.
The dark web is not indexed on regular search engines, and requires specialist browsing software to access it.
The hack at Pates is estimated to have taken place on 28 September, when the school emailed parents to say its IT systems and phone lines were down. A few days later the school emailed again with Gmail accounts it had created for parents to contact.
On 7 October, the headteacher emailed again to say its systems were "accessed by an unauthorised third party." Teaching materials, which relied on Microsoft Teams, were affected, and the school said it had notified the Information Commissioners Office (ICO) and police.
At that time, the headmaster wrote: "There is currently no evidence that data has been stolen or published."
Five days later, the school emailed parents again.
The headmaster wrote: "Regrettably, it now appears that some of our data was taken by the criminal organisation and placed on its dark web site, which is not easily accessible and only available to a limited audience with the technical knowledge and ability to access this specific site.
"If we learn that any significant data has been affected in this way, you will be informed and provided with guidance and assistance."
The ICO and Gloucestershire Police confirmed they were investigating the alleged breaches in 2022.
A spokesperson for Pates Grammar School said: "We are currently working closely with cyber-security specialists to conduct a thorough assessment and analysis of this data.
"We are working with highly experienced forensic investigators to secure our systems and resolve the issue.
"We have successfully restored key systems, minimised the disruption to staff and students, and continue to keep the relevant authorities informed of any new developments."
Ross Brewer, chief revenue officer of cyber-security risk management company SimSpace, said: 'We see the education and healthcare sectors being heavily targeted due to their primary focus being on education and care, not cybersecurity.
"They are typically under resourced in the IT function and are easy prey for the hackers that have no heart and are purely motivated by greed.
"The personal information that can be obtained is highly valuable or in some cases embarrassing. Organisations need to train their teams in the safe cyber range environment, so they know what to look for, how to identify gaps in their protection, and how to continually improve their digital hygiene."
Follow BBC West on Facebook, Twitter and Instagram. Send your story ideas to: bristol@bbc.co.uk
Uber investigating computer system hack
Hacked US school app accounts send explicit image
Australia blames Russian criminals for medical hack
Pate's Grammar School
Bus-enthusiast, 8, gets a big birthday surprise from Stagecoach West
Positive news on energy – Siobhan Baillie
Honour for first Green Party councillor to be elected in the UK
Beefy Boys set to open burger restaurant in Gloucestershire
Cotswold Abode Gastronomy make the cut in Germany at Ambiente show
Concerns over cuts to tip opening hours
Police search for motive of dance studio attacker
Elderly California gunman found dead after killing 10
Life in a liberated town under fear of Russian attack
Life in a liberated town under fear of Russian attack
Algae that blights our seas is harvested to make useful products
The ancient trees at the heart of a case against the Crown
Brendan Fraser calls out bias against obese people. Video
The curious case of stalling internet growth in India
'Putin has to find a new scapegoat – LGBT people'
Culture of Sicilian silence that protected Mafia boss for 30 years
Hiding from Putin's call-up by living off the grid
Why maggots are a medical marvel
The simple error that 16% of us make
Gen Z's latest surprising obsession
A return to old-school Canadian glamour
© 2023 BBC. The BBC is not responsible for the content of external sites. Read about our approach to external linking.
