Alarming stories were published in the media last week about the UM mainly paying the ransom to the cybercriminals because otherwise scientific data and personal information of students and staff from the past decade might be lost. The basis for all this was a long article in De Volkskrant on 24 January, which, on reflection, lacked a solid basis. What is the situation?
From the beginning, the UM has stated that scientific data is protected by additional safeguards. This was announced by the regular spokesman for the UM, Gert van Doorn, as early as 24 December. Whether the data was nevertheless contaminated, still had to be investigated at that time.
The outcome appears to be positive. Although the UM still won’t issue official reports until the planned meeting on 5 February, the UM’s interim spokesperson Fons Elbersen says that there is “good hope that research data has not been stolen or destroyed. Should this hope indeed turn out to be true, researchers can avail of the same data as before the hack. This doesn’t mean that it hasn’t been encrypted, chances are it has. But we still don’t know everything. Shortly before 5 February, Fox-IT will issue a report of the investigation and then we will know more.”
Inquiries among researchers and other members of staff proved that there is absolutely no panic within the faculties. Many don’t have their data on Windows servers anyway, so they were shielded from the hack, even though the first remedy - temporarily taking all systems offline centrally - obviously did cause some inconvenience. However, these blockades were already partly raised by the beginning of January.
At the Faculty of Psychology and Neurosciences, almost all data is accessibly again, the last tests were carried out there last week. Nothing has been lost, says a well-informed member of staff. Data on test subjects was never in any danger, this is all disconnected from other data and unattainable for a cyberattack like this. Scientific research was resumed as usual last month, “I have not heard from anyone that they couldn’t work in the lab. PhD candidates were also able to get on. For the time being, people are putting new data onto a memory stick, to be uploaded at a later date.”
So, the issue that remains, is the hacked personal data. Did scans of passports and diplomas fall into the wrong hands? Has information been copied? The UM also has “good hope” that no information has been leaked. But there is no certainty yet, the spokesman reported, “as this is still part of the ongoing investigation”. A report has been sent to the Dutch Data Protection Authority (DPA) regarding a possible data leak. That is compulsory. Elbersen: “The UM’s Data Protection Officer is in contact with the DPA concerning this matter.” Should the report of the investigation prove that there was indeed a data leak, the UM does have a problem. Two weeks ago, Het Financieele Dagblad already wrote that privacy experts warned against the consequences. “If it were to be proven that security was not up to scratch, the university could expect a penalty or a fine and possible claims for damages by victims whose data may have been stolen.”