Analysis of personal data breach gives all clear
The analysis of the attack in summer 2023 has now been completed. The assessment is that no individual needs to do anything in this situation, even though some personal data relating to students, members of staff and others at the University did leak.
During the summer, the University’s IT environment was targeted by an attack and information from two of the University’s systems was shared on the internet. Measures have been taken to secure the University’s IT environment and problem investigations are being conducted to analyse further action to reduce the risk of similar intrusions in the future.
A thorough analysis has now been made of the information that was stolen and then shared on the internet after the attack. Assessing the material and confirming that most of the information leaked does not entail any risk has demanded a great deal of processing and time.
Read more about the attack in previous articles on the Staff Portal.
How might I be affected?
A large proportion of employees and others involved at the University are represented in the leak. Personal data identified includes first and last names, user names and email addresses, as well as personal identity numbers.
The leaked material did not include any sensitive personal data. Furthermore, there is no indication that the attack was carried out in order to obtain personal data about staff or students.
What do I need to do?
People who use the University’s systems do not need to do anything. The University Administration has dealt with the intrusion and is working on additional measures to prevent further attacks.
Who can I contact if I want to know more?
The University follows the legislation on personal data. If you would like to know more about personal data management.
If you have specific questions about GDPR in connection with this leak, you are welcome to contact the University’s data protection officer at dataskyddsombud@uu.se.
What’s happening now?
One of the things being done is to speed up planned security measures such as the introduction of multi-factor authentication for additional systems. Multi-factor authentication means that users have to use at least two different verification factors to log in to IT systems. Another potential action is to limit external access to relatively sensitive IT systems at the University.
A problem investigation group is continuing to analyse further measures to reduce the risk of similar intrusions in the future. The University also has an option of engaging external expertise to supplement internal actions and to consult on the assessment of the attack and proposed measures.