Critical Incident: School Cyberattack

What would you do if your school underwent a cyberattack? Here is one member school’s story and how it managed the malicious event. 

In November 2020, AISNSW member Newcastle Grammar School underwent a ransomware attack that was so aggressive, it crippled the school’s entire operations for days. It sounds like something out of a Spielberg sci-fi only it was real, and it is not an isolated case. Just recently, the NSW Department of Education experienced a similar incident.

Newcastle Grammar School Principal, Erica Thomas, and Michael Browning, Director of IT, shared their experience and learnings at the recent AISNSW ICT Management and Leadership Conference. Following is an excerpt from the keynote along with a link to a recording of the keynote presentation to support all independent schools in lessons learned from a full-scale cyberattack.

Please contact Maurice Cummins, CIO AISNSW for advice and support on your school’s cybersecurity security strategies to manage these risks.

Take-outs in managing a school cyberattack 

• Discuss the issue of cyberattacks with the school Executive and Board and include it as a scenario as part of your school’s Critical Incident Management Planning
• Investigate a reputable insurance policy covering cyberattacks
• Assess your school’s IT platform ensuring vulnerabilities are recognised and managed
• Ask your IT staff to validate your back-ups ensuring your IT staff conduct a regular Challenge Restore process
• Conduct a cyber awareness training program for staff to assist them to identify characteristics of phishing emails
• Budget for and invest in an annual internal and external security penetration test through a reputable company 
• Ensure you have a Notifiable Data Breach Policy in place
• Consider having an additional communication application that sits outside the school’s infrastructure to enable communication in the event of an outage
• Consider an immutable storage solution (read only) to reduce your risk exposure, especially if using online backups not tapes
  
  

The cyberattack

It was a Saturday morning when Erica Thomas noticed something was amiss with the school’s technology system. 

It was her first weekend off in months given the first COVID onslaught and she had decided to do a little preparation on upcoming Zoom interviews for staff in 2021.

Feeling something wasn't right, Erica made a call to the Director of Studies who was unable to log into any timetables.

“We’ve got a major problem,” he said.

A call to the IT Director soon confirmed their suspicions.

All the servers were disabled; the network was encrypted. The school had undergone a malicious cyberattack.

“We had a nightmare,” Erica says.

“There was no way to communicate, no email, no school phones were working. There was nothing working.”

“We had Year 7-10 about to start their exams on the Monday. Year 12 was in the middle of the HSC and Year 11 students were doing assessment tasks. Its November. I was already up to Plan D for Year 12 speech night and how we were going to manage that because of COVID. My primary staff were just completing their reports.

“There was no way to communicate, no email, no school phones were working.”

“There was nothing working,” Erica said.

Managing a critical incident

A cyberattack is a major critical incident for a school and it is an issue of growing concern and prevalence. When a school’s entire operations rely on the network it can jeopardise student and staff safety, school security, intellectual property, bank accounts, students’ education, the school’s reputation. If there is a data breach, there are legal implications.

“At this point, you’re not sure what it is really going to be,” Erica says.

“We knew they were in our system – what had they stolen?”

The school already had a critical incident management plan, but it fell short of cyberattacks.

“We had to think about, ‘Where do we respond, and how we respond’. I wasn’t confident we could run school on the Monday, and as it turned out, we couldn’t.”

“We had every scenario under the sun in our critical incident plan, but we didn’t have a cyberattack.

“We didn’t have listed how we would manage if we had no access to any communication systems,” Erica said.

“We had to think about, ‘Where do we respond, and how we respond’. I wasn’t confident we could run school on the Monday, and as it turned out, we couldn’t.”

The Board was informed, and the event was reported to the local police station and to the Australian Cyber Security Centre.

The insurance broker was contacted, which offered technical and legal guidance and access to a forensic cybersecurity specialist.

The most important issue on Erica’s mind was if the school had a data breach and what that meant.

“They wanted over $1 million in cryptocurrency. We suspect it was a Russian group. This group is in the FBI’s top five wanted list."

The IT Manager was able to validate the cybercriminals through a link leading to the dark web. It was then the regional school realised what it was dealing with.

“The ransomware was really significant,” Erica said.

“They wanted over $1 million in cryptocurrency. We suspect it was a Russian group. This group is in the FBI’s top five wanted list.

“They had read our annual report, the compulsory one we have to put online. They had decided we could financially afford this.”

Key priorities when all systems are down

So many considerations had to be made.

A small and dedicated IT team was allocated the task of getting the network back up and running, while Erica worked with the Executive and the Board to devise how to communicate to staff, parents and students.

“You’ve got at that point a school community that is in absolute freefall.”

“At this stage you are in an absolute critical incident. You bring in your key Executive team, you have one point of contact with IT … and I have a very supportive Board.

“It’s one of those moments where you realise why school structures are set up the way they are.

“It was a very emotional time coming out of COVID when we were all drained and exhausted.

“The students were in a panic. We lost a lot of data – the primary staff lost all of their end-of-year academic reports.

“We had three days of exams photocopied but not five – staff had to reinvent their exam because we couldn’t access any of these materials.

“You’ve got at that point a school community that is in absolute freefall.”

Communication and support

Parents were asking questions on Facebook. The key priority was how to communicate. The school found a legacy application that was cloud-hosted, outside of the main network.

“My level of relief went through the roof at that point,“ Erica said.

A message was issued that the school would not be operating on Monday. It gave the school time to recalibrate. So much was happening, and so fast, and it was only in the heat of the moment that it was realised just how complex an incident like this was to manage. Not only was there the stakeholder management, the IT infrastructure, the communication to the ‘threat actors’, media yet to surface, but there were also real lives being affected.

“They didn’t let the team down. I feel quite emotional when I say it. They had not let anyone down, but what they’re doing at this point is they’re playing an almost cat and mouse game … the pressure they were under was just extraordinary.”

The IT team began working around the clock. While they were exhausted, it was their morale that was a key priority; the IT team felt they had let the school down and were anxious about their ongoing employment.

“They were worried it had come through into our environment and that once everything was back up they would get a call to say, ‘Thanks but you let this through’,” Erica said.

“They didn’t let the team down. I feel quite emotional when I say it. They had not let anyone down, but what they’re doing at this point is they’re playing an almost cat and mouse game … the pressure they were under was just extraordinary.”

“That is something you have to be really protective of and work with if this ever happens.”

Understanding the implications of system breakdowns

Through communication with the cybercriminals it was established they did not yet have access to the data. The IT Team was able to turn off the system altogether.

“It wasn’t as satisfying as ripping cables out of the wall; the senior engineer was able to disable the internet from the firewall,” said Newcastle Grammar School’s IT Director Michael Browning.

“Once we had done that, the forensic team advised not to communicate with the threat actor,” Michael said.

By Tuesday, the main system was back up.

Then began the process of rebuilding.

Managing community expectations

The school community needed frequent communication and transparency was key in managing the extent of the damage including potential data and privacy breaches.

“I was emailing parents about every second day, telling them what had been restored,” Erica said.

“In the end, what was most important was the reputation of the school – if we had not acted ethically, or appropriately or in a timely way we would have been dealing with a much bigger crisis.”

As soon as the first message had been sent to parents, the media began calling the school.

The strong relationship the school had with the local press meant Erica was able to secure a few days before the media broke the story.

“We were conscious that we were told the threat actor would be watching everything we did.”

Data breach mitigation

It took almost four months to receive the legal report, which determined that there had not been an actual data breach. But what had become apparent was that data had not been managed.

Passport numbers from school trips had been stored on computers. Children’s birthdays, parent addresses and phone numbers were on Excel spreadsheets.

“I have learnt with everything we’ve just gone through I need a tool that sits outside the system that allows me to communicate – that is a key takeaway from any of this.”

“You are dealing with something that I decided was a moral breach … I had to go back 12 years when looking at things that could have been stolen,” Erica said.

“I have learned with everything we’ve just gone through I need a tool that sits outside the system that allows me to communicate – that is a key takeaway from any of this.”

The school was running within about five days because the IT Manager was able to restore systems and data from tape back-ups.

“We knew our reputation was still intact, our community was pleased with the way we’d handled it, our level of communication.”

The staff gave the IT Team a standing ovation.

“We’ve learned we should look carefully at what comes into the school and into our email inbox. However, we still don’t 100 per cent know how they got in.

“We’ve got to do far more training in this area because no matter what systems we put in place we’re vulnerable because one person’s click can change everything in an instance.

“And PS: We did not pay the ransom!”