NEWCASTLE Grammar School will find out this week if any of its data has been stolen, following a ransomware cyber attack which saw criminals encrypt and destroy part of its network.
Head of School Erica Thomas said having cyber insurance allowed the school to organise a team of specialists to fight and restore some of its system, begin a forensic investigation into whether data had been stolen, manage communication and look at any legal ramifications if there has been a data breach.
"We were told fairly early on that we wouldn't know for over a month whether there had been data stolen," Ms Thomas said.
"I am expecting [this] week the final report on that [a potential data breach]. We were warned it would be at least a month at the start.
"There are over one million files they [the specialists] had to go through and look at. I am hoping they don't find any major problems, but you don't know. We've just got to wait and see now.
"They need to see whether it's been published anywhere and evidently there are usual sites where these things get published.
"They have a look to see what data was leaving the school.... by looking at what is going out on particular dates and times."
The Newcastle Herald reported last month Ms Thomas became aware of the attack on the morning of Saturday November 7 and reported it to local police, the Australian Cyber Security Centre (ACSC) and the school's insurer.
She said she was doing interviews for new staff and "things did not seem right".
"What I was seeing very very strangely was things start to sort of almost disappear," she said.
"I couldn't get into files, I couldn't get into the timetable and even my calendar in my email was starting to shake a little bit," she said.
"I thought 'Okay something isn't right with it'."
The director of studies also couldn't get into the timetable.
The school's IT team identified a "serious problem" and started working immediately on a solution so the school could operate as normally as possible.
"Basically what happened was we believe a malicious email was opened very innocently by a teacher in the school - it had got in despite our protections," Ms Thomas said.
The email referred to a teaching resource.
"What I did not know - but I've now found out lots about this - was this enabled the criminals to be working in our system for a few days before we even knew and it enables them, and this is evidently what typically happens, it enables them to begin disabling your ability to fight them.
"They're doing it at the very very back end of your system."
Ms Thomas said the timing suggests it was a targeted attack. "Saturday morning when you're not operational - it was designed to therefore inflict some pretty significant damage."
Ms Thomas said the school backs up its network every night through one system, which the criminals encrypted and partially destroyed.
The criminals sent the school a link to the dark web demanding money for this to be unlocked. The specialists advised the school to not communicate with the criminals. The ACSC advises to never pay a ransom.
The school also backs up fortnightly through a cloud based system that was "partly compromised" and every two months through a tape based system.
"We had to resort to the tape," Ms Thomas said. "Our IT team, they rebuilt and they had to re-establish virtually every part of our operating system.
"Our staff, to their credit, have not complained, they lost exams they had written, they lost reports they had written for kids at the end of the year, they lost a whole lot of stuff and had to redo things.
"That is the impact on your organisation. It's massive."
IN THE NEWS:
Ms Thomas said despite staff losing everything they had generated in the past two months, they worked hard to minimise impact on students.
"We got reports out to every child, we finished every exam. We have managed to comply with everything we are meant to comply with in terms of finishing off a school year. That, I think, is amazing."
She said families had been "remarkable" and "saw it as just part of yet another thing this year".
Ms Thomas said the encrypted backup still exists, but had been isolated and would be decommissioned and destroyed.
She said the school did a cyber security review just four months ago.
It will continue to have three different backups, but has made changes to how it operates.
"As they've [the IT team] been rebuilding they've been doing it differently," she said.
"They've reorganised the back end so an attack on the organisation can't bring down the whole organisation.
"One of the things school do is... you try and link as many systems as you possibly can. We've worked on a different model going forward."
Ms Thomas said the incident had provided valuable lessons.
"These things are increasing across Australia," she said.
"This could happen at any point. It's a thing you've got to constantly remind your staff about because no matter how good your policy is, these criminals are getting increasingly clever at the way they badge things coming in to your organisation to avoid your firewalls, to avoid your protective setup.
"It only takes one thing to have happen and the chain of events is so disruptive to your organisation and to your business.
"My advice is you've got to do constant training, you have to constantly review how your system is set up because you get so reliant on the technology and the technology you're using working, but that becomes part of your weakness because it's predictable."