Data leak at HAN
Here we keep you up to date on the data leak at HAN.
Update 19 November 2021 Closing live blog
Over the past weeks and months we’ve made every effort to inform all those who may have been affected by the data leak. We also did our best to answer questions that came to us via ASK@han.nl. Any specific questions still unanswered will be dealt with as soon as possible.
Immediately after learning that we’d been affected by a data theft, we expressed our regret that we'd been unable to prevent the incident. We apologized to all those whose data may have been stolen.
We continue to do our utmost to prevent future incidents of this kind by continuing to invest in a (digitally) safe working and learning environment, having this environment periodically tested by ethical hackers, and running awareness campaigns. At the same time, we realize that 100% digital security does not exist.
As is customary with this type of incident, the Dutch Data Protection Authority was informed at the very start. The Data Protection Authority was kept informed of progress at various stages throughout the process. Today we closed our incident report with the Data Protection Authority.
Today we are closing this live blog. The answers to the frequently asked questions will remain available at hanuniversity.com/dataleak.
Do you have any questions about the data leak? Please contact our colleagues at ASK@han.nl
Update 26 October 2021 Last group of victims informed
Today, the last 2% of those affected by the data leak were notified. It concerns more than 11,000 mail addresses. Further investigation was needed for this group, as it involved personal data collected together with other parties.
These are mainly general personal data that come from a database where information is stored on teacher training internships. This concerns data such as addresses of schools where internships took place or contact details of students and their internship supervisors.
By informing the latter group, HAN has informed everyone whose personal data may have been stolen during the hack and whose email address is known to us.
Update 5 October 2021 HAN concludes investigation into data leak
HAN has largely concluded the investigation into the data leak that came to light on 1 September. The investigation revealed that a hacker used a web form to gain access to one of the HAN servers where a large amount of data was stored. Over 530,000 unique email addresses were found on this server. It is unknown whether the hacker actually got hold of all the data on the server and/or published it. Nevertheless, HAN has decided to inform everyone whose data may have been stolen.
What data are involved?
At least 95% of the personal data that may have been stolen is general personal data such as names, addresses, places of residence, email addresses and telephone numbers. These data had been entered into online forms that people could use for purposes like requesting information about degree programs or registering for a session or event. As there is a chance that this group may become a victim of phishing, HAN has started informing this group and advising them to be extra alert for these types of practices. Individuals are referred to the hanuniversity.com/dataleak website where practical tips can be found to minimize the risk of phishing. This week HAN will inform everyone in this group.
About 3% of the potentially affected data involves more privacy-sensitive personal data. This includes, for example, passport and ID-card numbers, passwords or personal information of students about matters such as study delays. A complete overview of the different types of privacy-sensitive data is given below. HAN has already informed these people.
The investigation is still ongoing for 2% of the potentially affected cases. Further investigation is required in these cases because they may involve data collected together with other parties. And that may require coordination with those parties. However, it is clear that the data for this group is mainly general personal data.
"As the Executive Board, we regret that individuals have fallen victim to this data theft and that we were unable to prevent it. We sincerely apologize to everyone who has been inconvenienced in one way or another by this incident," says Rob Verhofstad, chair of the HAN Executive Board.
How the incident unfolded
When the data theft at HAN became known on 1 September, immediate action was taken. HAN reported the matter to the Personal Data Authority and the police. The leak was contained with the help of internal and external experts and the systems were and are being continuously monitored. Updates on the status of the incident were posted on hanuniversity.com/dataleak. Because the current HANaccount environment of students and staff and the personnel and salary system were not involved in the data leak, the leak did not affect the education, research or support services of HAN.
The hacker demanded a ransom from HAN in exchange for the data he had stolen. The amount of 10,000 euros that circulated in the media is incorrect. It was a multitude of that number. From the beginning, HAN refused to respond to this extortion. The reason for this is that paying would actually perpetuate this form of cybercrime. Paying also offers no guarantee that the stolen data would not be sold or published elsewhere. HAN will not comment further on the exact amount of the ransom demanded.
Rob Verhofstad "Despite all our efforts to provide a digitally safe environment, we were unfortunately unable to stop this attack. So we continue to work on making our ICT environment and systems more secure. It goes without saying that we will try to assist people affected by the data theft as best we can with practical tips and advice."
For further details, see the Overview of privacy sensitive-data (PDF).
Update 29 September 2021 Investigation almost finished
The investigation into the stolen data is almost finished. Our overview of the stolen data is becoming ever clearer. It includes login details of employees that participated in a running event. The data stolen was general information such as name and email address, but also the document number of the ID provided.
We have informed the 200 participants (mostly current and former colleagues) by email.
While the likelihood of abuse based on just the document number is small, we can imagine people being concerned that this information may now be circulating. For this reason, HAN will reimburse the cost of replacing the ID for those affected.
We will be informing all those involved in other types of stolen data as soon as possible.
8 September 2021 Update
Yesterday we reported that the attacker claimed to have stolen passwords in the data leak on 1 September. As far as we know now, these are expired passwords. We have been able to identify who these passwords belong to. Today we sent an email to 4,300 people informing them about this.
The email contained the following text:
We regret to inform you that an analysis has shown that one or more of your passwords may have been stolen. These are passwords that you used for one of our online environments in the period before 2018. You may currently be using the same password for other purposes. Our advice is that you change your password(s).
In our investigation yesterday, we specifically focused on finding out the leaked passwords. The investigation into the nature of other leaked personal data is still ongoing. As soon as we know more, we will inform those concerned.
7 September 2021 Update
Today HAN was contacted by a journalist claiming to have had contact with the attacker.
The attacker says he has published the stolen data. We cannot yet confirm this, but it is in line with expectations.
The attacker has said he also found passwords. As far as we know, these are expired passwords. So it does not concern current data from a HANaccount. The investigation is still ongoing and focuses on which personal data are involved and who they belong to. It is being conducted with great care, and that takes time. In the coming weeks we will directly inform the people affected. We’ll also advise them if they need to take any action.
5 September 2021 Update
On 1 September, we discovered that data had come into the hands of third parties. We can now report that we’ve managed to resolve the vulnerability in our ICT environment.
We took immediate measures on 1 September and also called in independent external experts. The investigation revealed that an external attacker had stolen data via one of our servers. This leak has now been fixed. The press has already reported that the attacker demanded a ransom for the data. HAN has refused to meet those demands.
What kind of data is involved?
As far as we know, the leak concerns various data such as details that could be entered on online forms via our website. That includes questions about degree programs, requesting general information, but sometimes also reasons for a degree preference or a request for support. And personal data such as the applicant’s names and e-mail address. The dataset also contains contact information for staff. It does not concern HAN login data or data from other systems like the student administration or staff and salary administration systems.
Informing those affected
As a precaution, we sent an initial message to all students and staff. We also posted a message on our website to inform other people directly involved. The investigation is still ongoing and focuses on which personal data are involved and who they belong to. It is being conducted with great care, and that takes time. In the coming weeks we will directly inform the people affected. We’ll also advise them if they need to take any action.
The attacker could share the data with journalists, publish it on the Internet or try to sell it. Unfortunately, that is common in this type of situation and is difficult to prevent. As always, there is also the risk of phishing and spam. So we are once again warning everyone to be extra alert for this type of cybercrime.
We are in contact with the police and are reporting the incident. We are updating our report to the Data Protection Authority with what we know so far. We’ll post further updates at www.han.nl/datalek.
Digital security is very important, certainly in education and research, and has our constant attention. We deeply regret that, despite these efforts, we were unable to prevent this incident. Our apologies for any inconvenience you may experience as a result of the situation. We are making every effort to continue to provide a safe online environment for everyone.
3 September 2021 | 19:30 Update
The investigation into the data leak is still ongoing. It is being conducted extensively and with great care. In the interest of the investigation, we cannot yet make any further announcements.
We understand there is media coverage and details of the leak can be read elsewhere. At this stage we cannot confirm or deny those reports. You can find up-to-date information on this site.
3 September 2021 | 09:00 Investigation in full swing
Behind the scenes we’re working hard to map out the impact of the data leak. We ask all staff and students to follow the updates here and to keep an eye on their mailbox. Also stay alert for phishing.
2 September 2021 | 14:00 Data leak at HAN
On 1 September, we received notification that personal data had come into the hands of third parties. HAN has taken immediate measures and has called in independent experts to investigate the exact impact. There is also contact with the High Tech Crime Team of the police and a report has been made to the Dutch Data Protection Authority. We will inform the people whose data is affected as soon as possible.
Frequently asked questions
The external attacker has stolen data through one of our servers. The leak has now been fixed.
On 7 September, we were contacted by a journalist claiming to have had contact with the attacker. The attacker says he has published the stolen data. We cannot yet confirm this, but it is in line with expectations.
As far as we know, the leak includes various saved data that could be entered on online forms via our website. That includes questions about degree programs, requesting general information, but sometimes also reasons for a degree preference or a request for support. And personal data such as the applicant’s names and email address and, as far as we know, expired passwords. The dataset also contains contact information for staff.
The investigation is still ongoing and focuses on which personal data are involved and who they belong to. It is being conducted with great care, and that takes time. In the meantime we have informed those people whose expired passwords have been stolen. We also advised them about follow-up steps. In the following weeks we’ll notify people whose other personal data have been stolen.
It does not concern current data from a HANaccount or data from other systems like the student administration or staff and salary administration systems. Nor does it involve data from Studielink; the national organization where you enroll as a student.
Media reports have mentioned that the hacker is demanding €10,000 for the data he has stolen. This amount is incorrect and in reality is a lot higher. HAN refuses to meet the demands, because we do not want to perpetuate cybercrime. Paying also gives no guarantee that the data would not be further sold or published.
The attacker has in any case shared the data with a journalist. The attacker may also publish the data set on Internet or the dark web or try to sell it. Unfortunately, that is common in this type of situation and is difficult to prevent.
Digital security is very important, certainly in education and research, and so has our constant attention. Unfortunately, just like home break-ins, digital burglary cannot be prevented 100% of the time. We are making every effort to continue to provide a safe online environment for everyone. A team of expert HAN staff continuously monitor our network for suspicious activity and take immediate action when needed. A number of external parties also monitor our network continuously.
We can’t answer that with any certainty. Your notification could be “phishing” via text message or WhatsApp. It’s happening a lot right now. Never open links you don't trust.
Has the data leak caused you psychological problems that are directly or indirectly affecting your studies? The HAN student psychologists can help you. Arrange an intake interview or call during the consultation hour.
Have a chat with one of the student psychologists to get an overview of the problems you are experiencing. After this, advice is formulated and discussed with you (max 45 minutes).
Plan an intake interview with the student psychologist using the form on Insite.
Do you have a brief question? Or do you want to discuss your situation with a student psychologist? You can speak to a psychologist during the phone consultation hour. Have a chat (max 10 minutes) to discuss what you can do or what your options are.
Register for the phone consultation hour with the secretarial office: (024) 353 04 34 or Studentenpsychologen@han.nl.
As far as we now know, expired passwords have been stolen. We have been able to identify who these expired passwords belong to. We sent an email about this to 4,300 affected people on Wednesday 8 September.
It does not concern any current data from HANaccounts. You don’t need to change the password for your HANaccount. And you can continue to use our systems. Are you using the same password for other purposes? We advise you to change your password there.
Criminals can use all types of leaked data to make fake messages more targeted and personalized. Some fake messages can seem very authentic and this increases their chance of success. So stay alert for scams via phone calls, mail, phishing emails, SMS or WhatsApp. Common examples are WhatsApp messages requesting payment from strangers or links in a fake bank email to change your login details.
Use different passwords for different purposes
If your password has been leaked, change this password everywhere you use it. Use strong passwords that are easy for you to remember. For example, short sentences. A strong password is longer than 8 characters and contains lower- and upper-case letters, and symbols. Don’t re-use the same password. Try to choose different passwords for different purposes. Need help to remember passwords in a safe way? Use a password manager like LastPass, KeePass or the password manager in the web browser.
Check these websites regularly: haveibeenpwned.com or www.scatteredsecrets.com. These sites can tell you if your login details have been involved in any data leaks.
Use extra security when logging in
Set up 2-factor authentication where possible. With 2-factor authentication, your identity is verified with 2 forms of identification when logging in: e.g. a password and a code sent to your phone via SMS or an authenticator app.
As well as the general tips, there are specific things you should do when specific personal data of yours have been leaked. Especially for this, we have an overview of tips for each type of leaked data on our website han.nl/datalek. Still have questions? Contact us firstname.lastname@example.org.
The investigation has concluded. HAN has informed everyone whose personal data may have been stolen and whose email address is known to us.
See the top of this page for the latest updates about the data leak. In the answers to the FAQs here we try to support you as best we can with useful tips and advice.
Do you have another question? Contact us at ASK@HAN.nl.