The finished investigation shows that additional data of 2846 TU/e pass holders were leaked.
Two weeks ago, the TU/e announced that it had been hit by a data breach due to a hack at the campus card company ID-Ware. Approximately 21,000 individuals were affected. Of these individuals, some of the personal data that ID-Ware used to make the campus passes had been leaked. What data had been leaked varied from person to person. This included name, address and campus pass number, but not passwords, photos or key files.
ID-Ware has now reported that it has completed its investigation. The investigation shows that additional data of 2,846 TU/e pass holders were leaked. In addition to the already known data, the photo of these pass holders was also stolen, as well as the phone number of 2,166 of them. The affected individuals were notified by us last week.
Passholders who have not yet received an email do not belong to the group of 2,846.
ID-Ware provides the TU/e’s campus pass system. Hackers broke into ID-Ware’s computers in mid-September and posted the stolen data of several ID-Ware customers on the darkweb. The company commissioned Fox-IT, a specialist in digital forensics, to investigate the hack. Now that this has been completed, it is expected that the extent of the data theft is fully understood and there will be no new cases.
Nicole Ummelen, vice president of the Executive Board of TU/e, regrets that more data has been leaked. "Digital security and privacy are extremely important to us. However, there is now a large group of people in our community who have had to learn that their data has fallen into the wrong hands. We understand very well if people are worried about this, and we share that concern. We are currently reviewing where our own policies and practices can be further tightened to prevent this type of event as much as possible."
TU/e-s independent internal supervisor is working with the university to conduct its own investigation into the circumstances of the data leak. This should amongst others lead to measures that will help prevent such a data leak from happening again.
For TU/e employees and students there is an extensive FAQ with more information about the data breach, updated on a continuous basis.
The data breach has been reported to the Dutch Data Protection Authority.