The data leak was discovered on 1 September. HAN’s investigation into the leak is almost complete, and has established that a hacker obtained information on students, employees and other contacts.

RTL News reports that when the university refused to meet the hacker’s ransom demands, the data was published online. While HAN has not specified the amount of money demanded, it is apparently ‘a multiple’ of the €10,000 reported by other media sources.

Stolen data

The investigators have found that the hacker used an online form to gain access to a university server. According to HAN, at least 95 percent of the stolen data was general personal information, such as names, addresses, e-mail addresses and telephone numbers.

Three percent of cases (14,766) involved privacy-sensitive personal data such as social security numbers (407), work-related disabilities (2,087), delays to study (1,418) and political preferences (152). Some of the data on the server dated back to 2011.

Although the investigation is still ongoing, it is already clear that in 2 percent of cases the hacker had help collecting the data, leading HAN to conclude that there must have been ‘coordination’. This coordination primarily concerned the hacker’s access to general personal information.

HAN wishes to take this opportunity to apologise again for the hack, and the institute regrets that it could not prevent the data from being stolen. The people affected will be informed of the leak and will be offered tips on how to minimise risks from phishing.

Cyber security

Last month, the inspectorate concluded that the government should intervene in matters of cyber security in education. Higher education institutions have already been targeted several times, with a 2019 ransomware attack taking Maastricht University’s systems offline until the university paid the hacker almost €200,000.