Lessons from a high school cyber attack

Two years ago, Hutt Valley High School in Wellington was the victim of a large-scale cyber attack. With cyber insurance in place, and changes to how the school approaches its data security, the school has found a way forward. But it has a warning for others.

Hutt Valley High School Business Manager, Craig Braun, says the school was unlucky and naive about the best level of security. This meant they were vulnerable like many businesses to a cyber attack. 

A damaging cyber attack

A request to reset network passwords, combined with phishing emails that looked similar to requests from Google, led to the school's authentication credentials being captured by cybercriminals.

A hacker accessed the school system and downloaded a keystroke logger – a programme that sits on devices undetected, and records every key a user taps on the keyboard remotely – to copy a 16-character administration password. Ultimately, this is what let the hackers in.

 “Overnight, cybercriminals went about shredding, reformatting and encrypting every single file on our network. Backup servers were gone, and they locked anything that looked like it was management-related,” says Craig.

 The damage done was enormous. The school had to “rebuild the entire system from scratch.” Thankfully, the school’s critical data pathways, which are backed up every night in the cloud, were recoverable, including financial, student management, and human resources information.

Cyber insurance and support 

Crombie Lockwood has worked with Hutt Valley High for many years, arranging their contents, liability and vehicle cover. And four years ago, the school added cyber insurance to their suite of schools insurance protection.

 “Crombie Lockwood was really clever to read the tea leaves and recognise this risk was growing rapidly for schools. We took a level of cover that we thought would be able to sustain us and support us in the event of a serious cyber attack or fraud.”

 In the wake of the attack, Craig says his first phone call was to Crombie Lockwood insurance broker, Charlie Shelley, who very quickly appointed a host of people to support the school, including PR and legal support, and a cyber specialist to provide high-level technical management.

 The school also received guidance from their private provider, the cyber response team for the Ministry of Education, N4L, Netsafe, Computer Emergency Response Team (CERT) and the Government Communications Security Bureau (GCSB).

Securing the future 

Hutt Valley High has now implemented two-factor authentication, replaced their terminal server with a Virtual Private Network (VPN) that requires individual IP authorisation, and installed cloud-based, New-Generation Anti-Virus (NGAV) software which actively manages cyber threats.

Craig says the school learnt the importance of cyber insurance, specialist support, offsite cloud backup of critical data pathways, maintaining security updates, and regularly replacing older technology. In the wake of the attack, the school has also increased its level of cyber cover.

 “Having a two-factor authentication is vital, because credentials are too easy to lose. And above all, any board or company – be it private, not-for-profit, state; it doesn't matter – you have to have cyber insurance. In my humble opinion, you're being negligent if you don't.”