Suspected malware has shut Great Marlow School for a second consecutive day. The exam years are still the only ones on site, and the rest of the school is on Microsoft Teams, in a containment posture the sector keeps rehearsing in public.
Great Marlow School in Buckinghamshire entered its second consecutive day of shutdown on Thursday, with only Year 11 and Year 13 students allowed on site to sit GCSE and A-level papers, while Years 6 through 10 and Year 12 were told to stay home and work through Microsoft Teams, according to The Register's reporting on the incident. The school's own statement, relayed by the publication, frames the closure as precautionary and places the institution firmly in containment, not recovery.
The mechanics of the first forty-eight hours tell a familiar story. Teachers cannot set work from school systems, so revision moves to a cloud service the school has not had to lock down. Mock exams scheduled for Years 10 and 12 will be sat later in the term. A Year 7 learn-to-row session has been pushed; a Year 7 and 8 athletics event is still going ahead on Thursday. The split is operationally revealing: a school's on-premise estate gets frozen, the cloud SaaS layer keeps running, and the calendar reorganizes itself around what is exam-board non-negotiable.
The Register frames the closure as part of a recurring UK education-sector pattern, and the framing is hard to dispute on the available evidence. The malware is still suspected, not named. The school has not confirmed ransomware, has not confirmed data exposure, and has not attributed the incident to a specific actor. The school is working to Department for Education and National Cyber Security Centre guidance, but the public-facing language, "suspected malware," "precautionary," "limited access to systems," is the language of an institution buying time, not executing a known recovery script. The headline uses the word "cyberattack"; the school's own statement does not. That gap is itself a data point about how the first seventy-two hours actually get communicated.
The pattern argument does not rest on Great Marlow alone. A second US education-sector campus, an Illinois high school, was closed for two days earlier this week on a ransomware incident and reopened on Wednesday, per the same source. The same news cycle includes separate disclosures involving NHS trusts. Education and public sector are taking a disproportionate share of the operational impact in a single week, and the coordination load falls on institutions whose core business is teaching children, not running incident response.
The cost distribution inside the school is also worth naming. Exam-year students absorb the operational risk of attending a site whose systems are still being characterized. Other year groups sit at home on a tool that was not designed to carry a full timetable. Internal mocks for Years 10 and 12 are pushed back. Extracurriculars get rearranged ad hoc. The school is making these calls without public confirmation of the threat family, the intrusion vector, or the data status.
What would a mature first-seventy-two-hours sector playbook look like. It would name the threat category on day one, or admit that it cannot. It would give parents and exam boards a single authoritative status channel rather than a school statement and a reporter's paraphrase. It would pre-stage the cloud-and-on-premise split that Great Marlow is improvising, so that "teachers cannot set work" does not translate into "Years 6 to 10 sit on Teams for two days." It would publish, after containment, a post-incident summary that the next school could actually use. None of that is in place this week, and the gap is what makes the pattern worth watching.
The open question is not whether Great Marlow will reopen. It is whether the sector will stop writing the playbook in real time, school by school, incident by incident, or whether "day two" will keep recurring as a feature of the response rather than a phase to be shortened.