Over the weekend, ransomware gang Lynx claimed the March 2026 attack on St Anne’s Catholic School in Southampton, UK. It alleges to have stolen confidential information, financial data, and contracts.
On Sunday, March 22, 2026, the school emailed parents, notifying them that a ransomware attack had occurred on its network. The school remained closed for four days before opening on March 27. Headteacher Julian Waterfield said there was “no evidence that any data has been compromised.”
In the latest parent update on April 17, Waterfield said:
Recovery from the recent cyber incident continues, and we remain deeply grateful to all those who showed — and continue to show — such kindness, understanding and flexibility. We are still confident that no data breach occurred; the impact was the temporary loss of control over our network, which underpins everything from teaching resources and internet access to our day-to-day safeguarding systems.”
Lynx, like most ransomware groups, tends to carry out a two-pronged attack. First, it’ll encrypt systems and demand a ransom to decrypt these (as St Anne’s has confirmed was the case here). Second, it’ll hold stolen data to ransom, especially if it hasn’t received a payment in the first stage.
Hackers will often lurk in systems for days, weeks, and even months, before encrypting them, thereby accessing and downloading a variety of data they can hold to ransom. If the ransom isn’t paid, it can sell the data on the dark web.
St Anne’s hasn’t confirmed Lynx’s claim, what (if any) data has been stolen, or whether or not a ransom was paid (either for the decryption of its systems or to delete stolen data). Comparitech has contacted the school for more information and will update this article if it responds.
Who is Lynx?
Since it first started adding victims to its data leak site in July 2024, we’ve tracked 389 attacks via this group. 58 of these attacks have been confirmed by the entity involved.
This is the first confirmed attack on an educational institution via Lynx. Lynx predominantly targets government organizations and businesses (namely manufacturers).
For example, this year, five attacks have been confirmed via the group with two of these being manufacturers (Trisa AG in Switzerland and Kurita Europe GmbH in Germany), one being a transportation company (Hegelmann Group in Germany), and the other being Canadian government healthcare authority, Lakelands Public Health.
Lynx is thought to be a spin-off the other prominent ransomware group, INC, and operates a Ransomware-as-a-Service (RaaS) model in which its affiliates receive a portion of the ransom for using its malware and infrastructure to carry out attacks.
Ransomware attacks in the UK
Throughout 2026 so far, we’ve recorded 120 ransomware attacks in the UK with six of these being confirmed by the entity involved.
Two of these confirmed attacks have been carried out on technology companies — Distinctive Systems, which was claimed by INC, and Adaptavist, which was claimed by The Gentlemen. Automotive information service provider Autovista also confirmed a crippling attack on its systems last month, but the hackers behind this attack remain unknown at the time of writing.
Urban Edge Architecture (claimed by Interlock) and England Hockey (claimed by AiLock) have also confirmed attacks.
About St Anne’s Catholic School
St Anne’s Catholic School & Sixth Form College is home to over 1,200 students, including girls from the ages of 11 to 18 and boys from the ages of 16 to 18.
