Get in touch with the school by any means necessary. There will certainly be a 'contact us' form on the website; if not, pick up the phone and do them a favour and call them. Even if they are in a different country, VoIP calls are quite cheaper today and I'm sure you can afford the cost.
Explain the situation in good details, making clear that your intention is not to expose anyone's privacy nor to ask for a ransom but that you are doing your duty as a responsible citizen. This is because often non-techie tend to panic and call the police pointing you at the culprit.
If you are able to, offer your advice on how to protect the webserver or explain what should be done so they can independently verify your advice by going e.g. to OWASP or asking questions on Security Stack Exchange.
Offer some degree of personal information e.g. how to get in touch with you, what is your name, and make your e-mail as professional and polite as possible. It is very likely that it happened as a genuine mistake so there is no need to add fuel to the fire that will generate.
Imagine the person on the receiving end is e.g. your grandmother (or any non-techie -- no offense for grandmothers out there). How would you explain it to them? What details would you offer first?
Make sure you cc: other people e.g. the principal, vice-principal etc. so that there can be no "your word versus theirs" if it comes to litigation.
Lastly, if you think the data exposed is really dangerous, make it clear that you will report this to the police if you do not get an answer by XXX days (be reasonable and account for school holidays).
