Data breach notification sub-processor UU
Last month we were informed that a data breach occurred at one of our external suppliers. The registration of UU Wellbeing Week uses an external supplier that has outsourced some services, such as the SMS traffic, to other suppliers who use backup carriers to deliver the SMS messages. The data breach occurred at one of the backup carriers of the SMS traffic; IdentifyMobile.
Ethical hackers found that personal data was publicly accessible to unauthorized persons for a period of 5 days. Phone numbers, SMS messages (reminder of the registration for a UU Wellbeing week activity) and SMS timestamps of 571 students were involved. Affected students have received an email at the email address they submitted while registering for the UU Wellbeing Week.
After discovering the data breach, measures were taken to close the data breach. The personal data are no longer accessible and the ethical hackers have confirmed that they do not possess the personal data. In addition, the cooperation with IdentifyMobile as a backup carrier has been stopped and the data breach has been reported to the Data Protection Authority. Although the privacy risk is very limited, IdentifyMobile cannot guarantee that no other parties have had access to the data. We deeply regret this and have asked affected students to be alert to spam and phishing and smishing attempts.
If you have any questions about the data breach, please contact the Privacy Officers of the Student & Academic Affairs Office, by email at ubd.oo.privacy@uu.nl. For complaints, please contact Utrecht University's independent Data Protection Officer at fg@uu.nl.