Data leak at HAN

Here we keep you up to date on the data leak at HAN.

315829 Nieuwsbericht hack

Also read the frequently asked questions about the data leak. The FAQs are updated regularly based on the updates.

Update 19 November 2021 

Closing live blog

Over the past weeks and months we’ve made every effort to inform all those who may have been affected by the data leak. We also did our best to answer questions that came to us via ASK@han.nl. Any specific questions still unanswered will be dealt with as soon as possible.  

Immediately after learning that we’d been affected by a data theft, we expressed our regret that we'd been unable to prevent the incident. We apologized to all those whose data may have been stolen.   

We continue to do our utmost to prevent future incidents of this kind by continuing to invest in a (digitally) safe working and learning environment, having this environment periodically tested by ethical hackers, and running awareness campaigns. At the same time, we realize that 100% digital security does not exist. 

As is customary with this type of incident, the Dutch Data Protection Authority was informed at the very start. The Data Protection Authority was kept informed of progress at various stages throughout the process. Today we closed our incident report with the Data Protection Authority.  

Today we are closing this live blog.  The answers to the frequently asked questions will remain available at hanuniversity.com/dataleak.   

Do you have any questions about the data leak? Please contact our colleagues at ASK@han.nl

Update 26 October 2021 

Last group of victims informed

Today, the last 2% of those affected by the data leak were notified. It concerns more than 11,000 mail addresses. Further investigation was needed for this group, as it involved personal data collected together with other parties.

These are mainly general personal data that come from a database where information is stored on teacher training internships. This concerns data such as addresses of schools where internships took place or contact details of students and their internship supervisors.

By informing the latter group, HAN has informed everyone whose personal data may have been stolen during the hack and whose email address is known to us.

Contact
Have any questions? Then take a look at the frequently asked questions about the data leak. And our colleagues will be happy to speak to you personally via ASK@han.nl.

Update 5 October 2021 

HAN concludes investigation into data leak

HAN has largely concluded the investigation into the data leak that came to light on 1 September. The investigation revealed that a hacker used a web form to gain access to one of the HAN servers where a large amount of data was stored. Over 530,000 unique email addresses were found on this server. It is unknown whether the hacker actually got hold of all the data on the server and/or published it. Nevertheless, HAN has decided to inform everyone whose data may have been stolen.   

What data are involved? 
At least 95% of the personal data that may have been stolen is general personal data such as names, addresses, places of residence, email addresses and telephone numbers. These data had been entered into online forms that people could use for purposes like requesting information about degree programs or registering for a session or event. As there is a chance that this group may become a victim of phishing, HAN has started informing this group and advising them to be extra alert for these types of practices. Individuals are referred to the hanuniversity.com/dataleak website where practical tips can be found to minimize the risk of phishing. This week HAN will inform everyone in this group. 

About 3% of the potentially affected data involves more privacy-sensitive personal data. This includes, for example, passport and ID-card numbers, passwords or personal information of students about matters such as study delays. A complete overview of the different types of privacy-sensitive data is given below. HAN has already informed these people. 
 
Further investigation
The investigation is still ongoing for 2% of the potentially affected cases. Further investigation is required in these cases because they may involve data collected together with other parties. And that may require coordination with those parties. However, it is clear that the data for this group is mainly general personal data.

Apologies 
"As the Executive Board, we regret that individuals have fallen victim to this data theft and that we were unable to prevent it. We sincerely apologize to everyone who has been inconvenienced in one way or another by this incident," says Rob Verhofstad, chair of the HAN Executive Board.  

How the incident unfolded 
When the data theft at HAN became known on 1 September, immediate action was taken. HAN reported the matter to the Personal Data Authority and the police. The leak was contained with the help of internal and external experts and the systems were and are being continuously monitored. Updates on the status of the incident were posted on hanuniversity.com/dataleak.  Because the current HANaccount environment of students and staff and the personnel and salary system were not involved in the data leak, the leak did not affect the education, research or support services of HAN. 

Ransom 
The hacker demanded a ransom from HAN in exchange for the data he had stolen. The amount of 10,000 euros that circulated in the media is incorrect. It was a multitude of that number. From the beginning, HAN refused to respond to this extortion. The reason for this is that paying would actually perpetuate this form of cybercrime. Paying also offers no guarantee that the stolen data would not be sold or published elsewhere. HAN will not comment further on the exact amount of the ransom demanded. 

Next steps 
Rob Verhofstad "Despite all our efforts to provide a digitally safe environment, we were unfortunately unable to stop this attack. So we continue to work on making our ICT environment and systems more secure.  It goes without saying that we will try to assist people affected by the data theft as best we can with practical tips and advice."

For further details, see the Overview of privacy sensitive-data (PDF).

Update 29 September 2021 

Investigation almost finished

The investigation into the stolen data is almost finished. Our overview of the stolen data is becoming ever clearer. It includes login details of employees that participated in a running event. The data stolen was general information such as name and email address, but also the document number of the ID provided. 

We have informed the 200 participants (mostly current and former colleagues) by email. 

While the likelihood of abuse based on just the document number is small, we can imagine people being concerned that this information may now be circulating. For this reason, HAN will reimburse the cost of replacing the ID for those affected.

We will be informing all those involved in other types of stolen data as soon as possible. 

8 September 2021 

Update

Yesterday we reported that the attacker claimed to have stolen passwords in the data leak on 1 September. As far as we know now, these are expired passwords. We have been able to identify who these passwords belong to. Today we sent an email to 4,300 people informing them about this.

The email contained the following text:
We regret to inform you that an analysis has shown that one or more of your passwords may have been stolen. These are passwords that you used for one of our online environments in the period before 2018. You may currently be using the same password for other purposes. Our advice is that you change your password(s). 

In our investigation yesterday, we specifically focused on finding out the leaked passwords. The investigation into the nature of other leaked personal data is still ongoing. As soon as we know more, we will inform those concerned. 

7 September 2021 

Update

Today HAN was contacted by a journalist claiming to have had contact with the attacker. 

The attacker says he has published the stolen data. We cannot yet confirm this, but it is in line with expectations.

The attacker has said he also found passwords. As far as we know, these are expired passwords. So it does not concern current data from a HANaccount. The investigation is still ongoing and focuses on which personal data are involved and who they belong to. It is being conducted with great care, and that takes time. In the coming weeks we will directly inform the people affected. We’ll also advise them if they need to take any action.

5 September 2021 

Update

On 1 September, we discovered that data had come into the hands of third parties. We can now report that we’ve managed to resolve the vulnerability in our ICT environment. 

Data theft  
We took immediate measures on 1 September and also called in independent external experts. The investigation revealed that an external attacker had stolen data via one of our servers. This leak has now been fixed. The press has already reported that the attacker demanded a ransom for the data. HAN has refused to meet those demands. 

What kind of data is involved?
As far as we know, the leak concerns various data such as details that could be entered on online forms via our website. That includes questions about degree programs, requesting general information, but sometimes also reasons for a degree preference or a request for support. And personal data such as the applicant’s names and e-mail address. The dataset also contains contact information for staff. It does not concern HAN login data or data from other systems like the student administration or staff and salary administration systems.  

Informing those affected
As a precaution, we sent an initial message to all students and staff. We also posted a message on our website to inform other people directly involved. The investigation is still ongoing and focuses on which personal data are involved and who they belong to. It is being conducted with great care, and that takes time. In the coming weeks we will directly inform the people affected. We’ll also advise them if they need to take any action. 

Possible consequences 
The attacker could share the data with journalists, publish it on the Internet or try to sell it. Unfortunately, that is common in this type of situation and is difficult to prevent. As always, there is also the risk of phishing and spam. So we are once again warning everyone to be extra alert for this type of cybercrime. 

Finally 
We are in contact with the police and are reporting the incident. We are updating our report to the Data Protection Authority with what we know so far. We’ll post further updates at www.han.nl/datalek. 

Digital security is very important, certainly in education and research, and has our constant attention. We deeply regret that, despite these efforts, we were unable to prevent this incident. Our apologies for any inconvenience you may experience as a result of the situation. We are making every effort to continue to provide a safe online environment for everyone.

3 September 2021 | 19:30 

Update

The investigation into the data leak is still ongoing. It is being conducted extensively and with great care. In the interest of the investigation, we cannot yet make any further announcements.

We understand there is media coverage and details of the leak can be read elsewhere. At this stage we cannot confirm or deny those reports. You can find up-to-date information on this site.

3 September 2021 | 09:00 

Investigation in full swing

Behind the scenes we’re working hard to map out the impact of the data leak. We ask all staff and students to follow the updates here and to keep an eye on their mailbox. Also stay alert for phishing.
 

2 September 2021 | 14:00 

Data leak at HAN

On 1 September, we received notification that personal data had come into the hands of third parties. HAN has taken immediate measures and has called in independent experts to investigate the exact impact. There is also contact with the High Tech Crime Team of the police and a report has been made to the Dutch Data Protection Authority. We will inform the people whose data is affected as soon as possible.

Frequently asked questions

General

Tips

Communication

Contact

Do you have another question? Contact us at ASK@HAN.nl.