At the end of 2019, the UM fell victim to a ransomware attack. Cybercriminals had hacked into the system and held the data hostage. This resulted in the university being completely offline. In the end, the university decided to pay the ransom of almost two hundred thousand euro. In a symposium on 5 February 2020, the Executive Board explained its motives and answered questions such as ‘Was the UM’s security not up to scratch?’.
Maastricht University also used SURF to share the possible risks with other universities. SURF is the ICT collaboration organisation for education and research in the Netherlands. “In doing so, the UM did the sector a great service,” says Wim Biemolt, chairman of SURFcert, SURF’s branch that offers help in the case of security incidents, in a press release.
It is not the first time that the UM has received compliments for its approach. In a report from June 2020 on the matter, the Inspectorate of Education praised the university’s “open communication”. The symposium in February was seen by the Inspectorate as a classic example of how the UM warns other organisations and contributes towards “the learning capacity of the higher education system”.
“We initiated a social debate,” said vice president Nick Bos, looking back on the cyberattack in Observant of December 2020. “Others are now also thinking about how the resistance of universities and other organisations can be improved. If we had tried to keep it a secret – which would have been difficult anyway, but many organisations keep quiet for fourteen days after a cyberattack and remain quiet – this wouldn’t have happened. I regularly get phone calls for advice from organisations that have been hacked. Recently, we had a French film crew visiting: what did you do, they wanted to know, what insights did it give you? There are a lot of cyberattacks in France as well, but not much transparency.”