8 December 2020

Notification data breaches October and November

In the months of October and November, three separate incidents took place. An unauthorized person had temporary access to the account of an employee or a student from Utrecht University. As a result, it is possible that unauthorized persons have had access to your personal data. As a result, there have been three data breaches. These data breaches heave been reported to the Dutch Data Protection Authority.

This message is a notification to inform you. Below, we will tell you what happened for each data breach, after which the possible consequences that these data breaches will have for you will be elaborated upon.

We were informed by ACS Publications, a party that manages online library accesses for Utrecht University. The account of a student had been blocked due to excessive traffic from several countries. This means that the student’s login credentials were known to unauthorized persons. Unauthorized persons may have been able to log in to the student’s mailbox. It is unlikely that this actually happened, since we received no signs of this.

The student’s account password was reset on the 9 October, 36 hours after the excessive traffic had started, and 18 hours after ACS Publications notified Utrecht University. As a result, the unauthorized persons no longer had access to the student’s account. The excessive traffic had also subsided.

Spam was sent from the account of an UU employee. This spam was also sent to other addresses within Utrecht University. The employee did not do this himself, which meant that an unauthorized person had access to the employee’s account.

The Computer Emergency Response Team (CERT) reset the affected employee’s password on 15 October. From that moment on, no more spam was sent from the mailbox concerned.

Several UU employees received a phishing email which contained a fake invitation to participate in a Zoom meeting. These phishing emails were part of a worldwide phishing campaign and were not specifically aimed at Utrecht University.

Upon accepting such an invitation, Solis credentials were requested. We know that at least one employee has entered his or her login details, as a result, unauthorized persons had access to the account of the employee. The password of the employee was changed withing an hour. Since then, the unauthorized persons no longer had access to the account of the employee.

In response to this phishing attempt, all these invitation emails were removed from the mailboxes within Utrecht University. Also, new emails associated with this phishing campaign were deleted.

On 24 November, two other UU email addresses were found on a list of successful Zoom phishing victims. The passwords on these accounts were changed immediately. No suspicious login attempts related to these accounts have been detected.

With all of the data breaches mentioned above, login data came into the hands of unauthorized persons. These unauthorized persons had access to Utrecht University systems that were not secured by means of two-factor authentication. The email inbox is the most important of these systems. To other systems, such as Osiris, the unauthorized parties had no access, because two-factor authentication was available.

Therefore, it is possible that all correspondence in the effected mailboxes, with the associated personal data, has been viewed. This means that unauthorised persons have had the opportunity to misuse or misused the personal data present in the mailboxes.

In addition, the unauthorized persons also had access to the Outlook address book of Utrecht University. This outlook address book contains the name, account-role, faculty email, and Solis-ID for every UU student or employee.

Your name and e-mail address may have been viewed by unauthorized persons, which means that there is an increased risk of exposure to spam. However, we have received no indication of this. There is also an increased risk of phishing attempts as a result of these data leaks. Be aware of that.

It is also possible that unauthorized persons have gained access to and viewed personal email correspondence which you have had with the affected accounts. How this data could be misused depends on the nature of this data. We have not received any reports of abuse.

Watch out for phishing. Read our tips and advice on this. Also, report all suspicious emails to cert@uu.nl.

Where possible, make use of two-step verification (2FA) to further secure your account.

If you have any unanswered questions or a complaint regarding these data breaches, please contact the independent data protection officer of Utrecht University, R.A. Jacquet. You can reach him by e-mail at fg@uu.nl or by telephone on 030-2531977.

You are also free to file a complaint with the national supervisory authority on data protection, the Autoriteit Persoonsgegevens, by telephone for free at 088-1805 250.

We deeply regret any inconvenience this incident may cause you.