The way I see it, the school has no choice but to pay up.
If any of those pilfered files hit the internet, the school will be paying more from litigation.
On the other side of the world, ASIC sues financial services company for repeated hacks. (And take note the company is an affiliate to an Australian bank.)
In those two cases, a computer was infected with ransomware that rendered the files on it inaccessible, and a network being hacked by remote access resulting in a data breach affecting 226 client groups.
The unknown hacker obtained access via an FFG staff account, and spent more than 155 hours logged into the file server that contained senstive financial information and client identification documents.
KPMG's forensic analysis also found crypto miner malware on the file server, as well as a virtual private network being set up, a peer-to-peer file sharing application, hacking tools and brute-force password cracking software.
I'll let y'all read this article. It's them "what else can go wrong" moment.