Internal investigation into ID-Ware leak made public
“Stop processing people’s place of birth, date of birth and sex for the campus card process.” This is the first recommendation in the report by Bas Schellekens, TU/e’s independent Data Protection Officer, who carried out an internal investigation into the leaking of data of thousands of campus card holders in October 2022. The leak originated from card provider ID-Ware, which had been hacked. What could or should the university have done to minimalize risks?
Looking at the other recommendations in Schellekens’ report, it would appear the university has its work cut out for it. A general recommendation is to evaluate the collaboration with ID-ware and to discuss the findings from the report with them. In the report, the reader will also find an action plan with a timeline. LIS director Frank Hendrickx says that the university is on schedule with the planned actions.
Schellekens indicates he was given access to all the information relevant to his investigation. “The university is legally obliged to do so and there were no problems there. I also got to peruse the investigative report that ID-Ware had drawn up by cyber security agency Fox IT.” In his own report, Schellekens writes that TU/e reported the data leak to the Dutch Data Protection Authority in a timely manner and also “timely and correctly informed” those directly involved.
Three steps
The latter was done in three steps, as more and more information on the magnitude of the leak emerged. “At first, it seemed a smaller leak,” Schellekens says, “involving 1822 people.” These people were informed by email, but soon afterwards it became apparent the leak was bigger after all. On 21 October a news item was published, stating that the data of around 21,000 people had been leaked, and that it concerned “identification data, such as names, addresses and campus card numbers, but no passwords, photos or key files.” Another item, published on 7 November, revealed that the photos of 2,846 of the people affected had also been leaked, as well as the telephone numbers of 2,166 people.
Not surprisingly, Schellekens writes that all of this caused “unrest about the circumstances of the data leak within the TU/e community.” The goal of the report that has now been made public was “to answer the most urgent questions within a short time period.” It was published online and dates back to last month, at which time its content was discussed with members of the University Council committee (and other parties) involved.
Critical remarks
The report contains critical remarks about the campus card process. Schellekens indicates, for examples, that more personal data was supplied to ID-Ware than necessary and that the general retention period for some categories of personal data is too long. These are exactly the issues flagged by the affected employees and students, as well as by Cursor, when the leak was announced back in October.
Furthermore, a discrepancy is reported to exist between the legal agreements and the actual processing. The way the provider, i.e. ID-Ware, handles personal data also raises questions. “The processing activity with respect to the campus card process is not in line with the legal principles of data minimalization and storage limitation,” is how the report puts it somewhat verbosely. “As a result, the impact of the incident was bigger than it would have been if the data processing had been in accordance with the norms outlined in the GDPR,” Schellekens concludes.
Schellekens recommends going ahead with the planned Data Protection Impact Assessment (DPIA) and adjusting the data processing practices to the outcomes of this DPIA where required. In addition, ID-Ware is to destroy all data not needed for its service provision and the register of processing activities is to be corrected. In his capacity as a data processing supervisor, Schellekens will not follow up on his own recommendations. “It’s up to Library & Information Services (LIS) and Real Estate (RE) to do so.” The introductory letter the Executive Board added to the report states that an action plan has already been formulated based on the findings.
Subpar
One thing that jumps out from the report is Schellekens’ remark that “the findings of this report cannot be seen as separate from our general subpar handling of data protection, which means the most important recommendation is to structurally increase, support and accelerate the planned and ongoing actions in this context.” He also thinks policy should be designed and implemented “that makes sure changes to processing activities are assessed and, if necessary, are translated into changes in formal documents and the register of processing activities.”
In addition, the flow of data to the current providers needs to be analyzed and compared to the personal data categories included in the corresponding processing agreements and the register of processing activities. Providers are to be audited for this on a regular basis and funds are to be made available to this end. In the abovementioned letter from the Executive Board, the necessity of following these recommendations is recognized “to prevent similar incidents in the future.”
A FAQ site with more information on the matter has been set up.
Next week, Cursor will ask LIS what they are planning to do – or what they have already done – with the findings of the report.
Discussion