Photographer:Fotograaf: Simone Golob
MAASTRICHT. The ransom that was paid to the cybercriminals on 29 December after they had put a digital lock on Maastricht University’s computer systems, did not come from the UM’s regular reserves. The sale of a company from UM-Holding just prior to the hack, had yielded enough to pay the almost two-hundred-thousand-euro ransom.
This information was provided by the Minister of Education, Culture and Science, Ingrid van Engelshoven, on Friday 14 February in a letter to the Second Chamber about the cyberattack on the UM. In her letter, she says that she was informed by the UM that “payment of the ransom, including all other expenses related to the ransomware attack, were funded (sic) from the sale of a participation in the Maastricht University holding”.
As for the expenses, this is not confirmed by acting UM spokesperson Fons Elbersen, “because those expenses are not known yet”. So far, only the amount of ransom - 197 thousand euro - was revealed. To this will have to be added the costs of involving cybersecurity firm Fox-IT. That is expected to be a “substantial amount”, said Vice President of the Executive Board, Nick Bos, during the press conference/symposium about the hack on 5 February. Spokesperson Elbersen himself was also employed on a freelance basis, and then “there are the costs of additional software, such as Carbon Black,” he says.
Whatever the eventual amount will be, it cannot be said yet that those can be covered entirely by the proceeds from the sale of a business unit. The latter yielded about a million euro, according to the spokesperson.
There are no rules for how to spend such income. The funds could be allocated privately again, or it could be spent on education and research; this time, it was the hack. "It is a rare occasion, we look at the situation at that moment," says the UM’s Director of Finance, Ruud Bollen.
The university is the sole owner of UM-Holding, which in turn had half of the shares of The Maastricht Forensic Institute (TMFI bv). This 50 per cent interest was sold to a firm based in Luxembourg on 19 December 2019, before the hack manifested itself in full.
Exactly when it was decided to spend funds from the UM’s commercial activities, is unclear. Another question is why the Executive Board did not elaborate on this fact at an earlier stage. The media and national politicians have great doubts about paying extortioners, in particular if such is done using ‘the taxpayer’s’ money. The Executive Board’s approach appears to be the opposite instead: on 5 February, Bos emphasised that the board had a “devilish dilemma” for the very reason that the university is “a publicly funded institute”. There was no mention of other reserves that could be used.
Elbersen’s reply: “There was no carefully considered strategy to mention or not mention this. The fact that the funds come from one of the UM’s sidelines, doesn’t make it any less bad that criminals are paid. It is always painful. No, I didn’t propose to emphasise the private origin of the funds.”
Actually, Bos did mention this on 5 February, but that was in a separate talk after the symposium, with a reporter from Het Financieele Dagblad. The latter duly wrote later that day where the money came from: not from the budget for education and research. The fact was not picked up by any other media, until last weekend, when the education minister sent her letter.
The letter also says that when the UM was about to pay the ransom and the minister was informed accordingly, the government said that “no money should go to criminals”.
Is this something that the university merely took note of? Or was there a discussion between the UM and the minister? Elbersen: “I cannot comment on that.”