Alumni worried about consequences of data leak
In its first message about the hack, published on August 11, the university stated that it seemed as though the impact of the stolen data wasn’t that bad. The university had been told by Blackbaud on July 16 that at some point during spring, hackers had obtained contact information, birth dates and places, and in some cases, career information. But they announced that no passwords, bank information, or social security numbers were among the leak, because those had been encrypted. Moreover, it was said that the hackers had promised Blackbaud that they’d deleted all the data. At the time, it was unknown just how much information had been obtained.
At first, the university wanted to hold off on communicating about the hack, because it was unclear which relations’ data were involved. But because Delft Technical University – another victim of the hack – would inform its alumni on August 11, the UU decided to announce the hack on the same day along with Delft. The university wasn’t informed until a few days later that the leak concerned an enormous file from 2017, a backup of all known alumni, donors, and some relations: a total of 180,000 names. Furthermore, it turned out that of 6,000 of them, the social security information could be traced back. Banking information had been encrypted to make it inaccessible to hackers.
Blackbaud has been a UU partner for years, working in relationship management. In 2017, the decision was made to move the actual data to a Dutch server. This was an option Blackbaud offered when the university started using a new system. The decision was made to do this because storing data in one’s own country prevents any kind of doubt or discussion about the security of data. However, one old back-up was apparently left on the server. Those data were included in the information the hackers found on the Blackbaud site. Worldwide, many organisations were affected by the hackers.
These past few weeks, the UU has been working to inform all the affected people, via email or letters. In their messages, the university says the risk of abuse of the data is small, and those affected do not need to take any action. Still, many have responded to the messages. People are worried and wonder whether anything could happen to their data. They don’t believe the hackers would simply destroy all those data, as Blackbaud is saying. The hackers have the email addresses, often the study programme, and sometimes even their willingness to donate. With this information, they could effectively sell these addresses to be used for spam or phishing. RTV Utrecht asked an expert to investigate how identity fraud is possible when social security data have been hacked.
Dennis Wiersma, member of Parliament for the VVD as well as a UU alumnus, has submitted written questions to Parliament about the subject. He wants to know what guarantees there are that the hackers have indeed destroyed the information. Blackbaud has paid the requested ransom, but does this provide sufficient certainty? Wiersma asks.
The UU data protection officer has also received numerous emails expressing worries. A number of affected people feel the university is downplaying the issue by stating the risk of abuse is low. Some of them now want all their data to be removed from the UU systems.