Back in September this year, there was a hack in which data was stolen from ID-Ware. At that point, it seemed to involve just a limited amount of data, and the people affected at the time were notified on October 8. This was not given much publicity. However, it has now been revealed that the breach is much worse than initially thought, and TU/e was informed of this on October 14. There is no mention anywhere of exactly how many people were affected by the leak, but the warning email was sent university-wide and the community consists of over 20,000 people, and of course, the company ID-Ware also produces cards for other organizations and processes personal data for them as well.
The data stolen varies from person to person, but it may involve one or more of the following:
- TU/e ID
- Initials
- Last name
- Address
- Residence
- Student number if applicable
- Place of birth
- Private email address
The stolen data can be found on the dark web if you know how to search there.
Risk of identity fraud
Campus cards will remain active and students and staff may continue to use them. ID-Ware did not have access to passwords of TU/e accounts, so these data were not leaked. This breach could have major consequences, such as identity fraud; but the data could also be used for phishing or spam. Therefore, it is advisable to be extra alert to this, as is also mentioned in the warning email. Anyone who has become aware of any form of identity fraud is advised to report it to the Central Identity Theft and Error Reporting Center.
Reporting the breach
The email to the TU/e community, which was signed by the Executive Board, does not say anything about consequences for the ID-Ware company, nor whether this leak was reported to the Dutch Data Protection Authority, a mandatory requirement for data breaches of this kind. ID-Ware’s statement also does not explicitly mention the Dutch Data Protection Authority, but it does say that the company keeps in close contact with ‘the police, government and National Cyber Security Center’. There is a high penalty for neglecting to report data breaches in a timely manner. Reporting a data breach does not automatically result in a fine or other penalty.
Discussion