Hit enter to search or ESC to close

Lessons from a high school cyber attack

Sophisticated cybercriminals target all types of businesses and individuals in New Zealand, even schools and not-for-profit organisations. While the cost of such attacks is measured in more than dollar terms, cyber insurance is helping affected businesses navigate towards recovery.

Two years ago, Hutt Valley High School in Wellington was the victim of a large-scale cyber attack. With cyber insurance in place, and changes to the way the school approaches its data security, the school has found a way forward. But it has a warning for others.

Hutt Valley High School Business Manager, Craig Braun, says the school was unlucky and naive about the best level of security. This meant they were vulnerable like many businesses to a cyber attack. 

A damaging attack

A request to reset network passwords, combined with phishing emails that looked similar to requests from Google, led to the school's authentication credentials being captured by cybercriminals.

A hacker accessed the school system and downloaded a keystroke logger – a programme that sits on a person’s computer undetected, recording every key they tap on the keyboard remotely – to copy a 16-character administration password. Ultimately, this is what let the hackers in.

 “Overnight, cybercriminals went about shredding, reformatting and encrypting every single file on our network. Backup servers were gone, and they locked anything that looked like it was management-related,” says Craig.

 The damage done was enormous, with the school having to “rebuild the entire system from scratch.” Thankfully, the school’s critical data pathways, which are backed up every night in the cloud, were recoverable, including financial, student management, and human resources information.

Cyber insurance and support 

Crombie Lockwood has worked with Hutt Valley High for many years, arranging their contents, liability and vehicle cover. And four years ago, the school added cyber insurance to their suite of schools insurance protection.

 “Crombie Lockwood was really clever to read the tea leaves and recognise this risk was growing rapidly for schools. We took a level of cover that we thought would be able to sustain us and support us in the event of a serious cyber attack or fraud.”

 In the wake of the attack, Craig says his first phone call was to Crombie Lockwood insurance broker, Charlie Shelley, who very quickly appointed a host of people to support the school, including PR and legal support, and a cyber specialist to provide high-level technical management.

 The school also received guidance from their private provider, the Ministry of Education’s cyber response team, N4L, Netsafe, Computer Emergency Response Team (CERT) and the Government Communications Security Bureau (GCSB).

Securing the future 

The school has now implemented two-factor authentication, replaced their terminal server with a Virtual Private Network (VPN) that requires individual IP authorisation, and installed cloud-based, New-Generation Anti-Virus (NGAV) software, which includes active threat management among its features.

Craig says the school learnt the importance of cyber insurance, specialist support, offsite cloud backup of critical data pathways, maintaining security updates and a programme that constantly replaces older technology. In the wake of the attack, the school has also increased its level of cyber cover.

 “Having a two-factor authentication is vital, because credentials are too easy to lose. And above all, any board or company – be it private, not-for-profit, state; it doesn't matter – you have to have cyber insurance. In my humble opinion, you're being negligent if you don't.”

CL647C CLMB Cyber social image 1200pxw x 630pxh V1

Anyone's a target

Cyber attacks happen to businesses of any size, in every industry. Our cyber insurance brokers help businesses identify and assess cyber risks, provide insurance advice, and arrange the most suitable cyber protection.

Get your cyber insurance sorted.

Contact a broker

Published April 2021

Cyber      Client stories