HAN completes data breach investigation: more than 14,000 sensitive data stolen
More than 14,000 sensitive data were stolen during the data breach that hit Arnhem-Nijmegen at the beginning of September. It mainly concerns old passwords, of which more than 4000 were unencrypted on a server. This is apparent from the completed HAN investigation.
The investigation revealed that a criminal hacker gained access to a HAN server containing 530,000 email addresses via a web form. The hacker was also able to steal the data of a large number of students and former students, including name, address, place of residence, e-mail address and telephone numbers. This concerns data entered on online forms, including for requesting information about training courses or registrations for events. According to HAN, this group may have fallen victim to phishing.
Data has also been stolen from a much smaller group of people that are more privacy-sensitive. According to HAN, this concerns passport and ID card numbers, unencrypted passwords and personal data about study delay, functional limitations, political preferences and CVs. According to the HAN, the data of students and prospective students have been filled in different forms since 2009. The unencrypted passwords come from an online environment that has been out of use since 2018. HAN has previously informed affected students and former students about this.
Encrypted passwords of pre-2019 students were also leaked, as well as the outcome of a 2011 survey by student magazine Sensor about student public preference. CVs from a matching website for students and employers of HAN from the period 2009 to 2019 were also stolen. A total of 14,766 ‘sensitive personal data’ have been leaked, HAN writes. The bulk of these are unencrypted passwords, 4381 passwords, and encrypted passwords, 5194 pieces. It was leaked out of 2087 students what kind of disability they have, for example whether they have a mental illness that can affect their study career.
The HAN says that previous reports in which it was written that the university of applied sciences paid a ransom of 10,000 euros for the stolen data. According to the university of applied sciences, the hacker has asked for a multiple of this, but the university emphasizes that they have not paid for the data. The criminal hacker put the personal data of students online on September 7, because the payment had not been made.
Image: RTL News