Many questions about data breach at ID-Ware remain unanswered
When did the university start sharing home addresses of students and staff members with ID-Ware, so that the campus cards could be sent to people’s home address? According to the spokesperson for the Executive Board, ID-Ware has been sending “the bulk of the cards” made for new students by post “for many years.” The company required the addresses for this. The exact year in which this practice started has not been made public. There is also “no basis at this point to conclude that the sharing of address details of personnel started prior to 2021,” the spokesperson says. Cursor’s request to gain access to a full overview of all personal data provided by TU/e to third parties, including ID-Ware, was rejected. The University Council also submitted questions. TU/e’s own, internal investigation is still ongoing.
Comment on the changes made to this article on Friday, 25 November:
Cursor’s attempts to find out since when exactly students and staff members have been receiving their campus cards by post, were met with the following response from Digital Management & Library (DML): ‘Students with a Dutch post address receive their cards at that address. In most cases, this is their home address. Students with a foreign post address don’t receive the cards by post and are required to collect their cards on campus.’ Cursor continued with a follow-up question: ‘Do all students receive their cards by post, or does this apply only to bachelor’s students at the start of their first year? And what rule applies to new employees; do they receive their cards at their home address, or do they always need to collect them at the university?’ This question was answered as follows: ‘The current procedure, as described in the previous mail, started in May 2021 and applies to all students and staff members. An exception was made for the JADS cards, which are sent to JADS Den Bosch.’ Based on this response, Cursor concluded that no cards were sent by post prior to May 2021, and that cards had to be collected. This didn’t seem to correspond with the Executive Boards’ previous statement that home addresses had always been a requirement in order to send campus cards.
Today, Friday 25 November, the spokesperson for the Executive Board said that ID-Ware has been sending “the bulk of the cards” made for new students by post “for many years.” Since when exactly still remains unclear. The spokesperson also said that there is no basis at this point to conclude that the sharing of address details of personnel started before 2021. “There’s also a possibility that address details of existing staff members, who were hired prior to 2021, were sent to ID-Ware with the purpose of sending them new cards,” according to the spokesperson. That information has been verified, he said, and “makes the conclusion that the Executive Board spreads false information invalid.”
Students and staff members have already been informed twice about the hack at ID-Ware, the company that has been producing campus cards for TU/e since 2014. The first time was on 21 October, when the university issued a statement saying that hackers had stolen personal data of some 21,000 campus card holders. The stolen information concerned identification data, such as names, addresses and campus card numbers, ‘but no passwords, photos or key files,’ the statement said. On 7 November, after ID-Ware completed its investigation, the university issued a second statement, saying that in addition to addresses, hackers had also stolen photos of 2846 TU/e pass holders, as well as phone numbers of 2166 people. Those affected were informed via email.
University Council shocked
Following the announcement of the hack at ID-Ware and the resulting data theft, people within the TU/e community have been wondering how this could have happened. They also want to know why ID-Ware has access to such large quantities of data. Thomas Koot, member of student faction DAS and chair of the University Council’s Information Management (IM) committee, says that the council was shocked by the data breach. He underlines how important it is “for TU/e to learn from any mistakes the university might have made, in order to prevent another data breach from occurring in the future.”
The IM committee held a special meeting about the hack “with the business owner, the delegated business owner, the crisis manager and the data protection officer. Our committee was expertly informed, but a number of questions remained unanswered, or were answered only partially, because the university’s own, internal investigation is still ongoing,” Koot says.
The hack will also feature on the University Council’s agenda during the upcoming council meeting on Monday, 28 November. Several questions have already been submitted to the Executive Board in writing. One of the questions put forward is why ID-Ware had access to so many data categories that are irrelevant for a campus card, including a card holder’s place of birth, and why ID-Ware still hasn’t deleted this information ten years after it issued a campus card. On top of that, the University Council believes that TU/e’s General Data Protection Regulation register is both incomplete and not entirely correct. Koot’s committee would like to know when the university plans to update this register and correct the mistakes it contains. The Executive Board already informed Koot that it will share the internal investigative report with the IM committee, and that potentially similar privacy risks at TU/e will also be analyzed.
Token or copy
Tom Verhoeff, assistant professor at Mathematics & Computer Science, is also worried about this data breach. Verhoeff: “You wonder which personal data ID-Ware has access to, and how the company was granted that access. Was that done with a token that allowed them access to the TU/e system, or did they regularly receive copies of the data? And there’s a third option: did someone at ID-Ware download a copy of this data to a more vulnerable system, for whatever reason, for example because he or she wanted to test a new feature, or carry out an analysis. The consequences differ, depending on how ID-Ware gained access. And why did the company have access to information about a card holder’s place of birth? This creates an extra risk for identity fraud.”
Permission
Cursor requested a total overview of all personal data of students and staff members TU/e shares with third parties, and wanted to know whether the university is permitted to do so. We received the following response from the Executive Board: “Photos (of card holder’s, ed.) are required, so that the card can function as identification. In view of the necessity of the use of the photo and TU/e’s legitimate interest in this use, the university is not required by law to obtain the card holder’s permission for providing ID-Ware with the photo. TU/e does however want to handle this information with care and is currently in the process of determining what information will be necessary in the future.”
The board has so far not been willing to divulge the exact nature of the personal data provided to third parties, including ID-Ware. Nor has it answered Cursor’s more general question whether or not it needs and/or asked permission for sharing this data.
Some weeks ago, vice-president Nicole Ummelen said that ID-Ware sends the campus cards to people’s home address, which is why it needs to have access to this particular bit of information. Cursor ask about the necessity of this practice, and whether it wouldn’t be possible for students and staff members to simply collect the card themselves at the university at the start of their studies or employment. Sending the cards to people’s home address presents an extra risk, because it’s easier to intercept cards sent by post. The Executive Board says that “as a service, an effort was always made to provide new students and staff members with their campus card well before their first day on campus. Their home address is necessary in order to send these cards by post.”
Own investigation
In its statement issued on 7 November, TU/e said that ID-Ware had completed its investigation. “This was an internal investigation carried out by ID-Ware into the ransomware attacks aimed at that company and the consequences thereof,” according to the Executive Board in response to additional questions by Cursor. “In addition to this, we are busy carrying out our own investigation into the exact causes and backgrounds in relation to TU/e’s processed data. TU/e’s data protection officer is also investigating the matter. Based on this, TU/e will draw conclusions about these situations and about the prevention of similar situations.” According to the university’s policy spokesperson, this investigation could take several weeks.
When asked whether the university will terminate or temporarily discontinue its collaboration with ID-Ware, the Executive Board says that it “cannot answer this question as this premature stage. We will first conclude our investigation into the exact causes.”
Discussion