Answers to Parliamentary questions on report of psychological problems HAN students after major hack

Date November 4, 2021
Subject Answer to written questions by members Van der Woude and Rajkowski (both VVD) to the Minister of Education, Culture and Science about the message 'Psychological problems HAN students also on the street after major hack'.

1. Are you familiar with the message 'Psychological problems HAN students also on the street after major hack'?(1)

Yes.

2. Is it true that the College of Arnhem and Nijmegen (HAN) was attacked with hostage software last month? If so, can you provide a chronological factual account of this event, specifically addressing the cause of the cyber attack? If no, why not? Do you share the view that it is desirable to share knowledge about the origin of hacking with other educational institutions so that they can learn from it?

HAN University of Applied Sciences (HAN) has faced a hack. The HAN has informed me that a hacker gained access via a web form to a server of the HAN on which a lot of data was stored. There is no question of hostage software in this case. For a chronological account of the facts, I refer you to the HAN website, www.han.nl/datalek where you can follow the developments over time via a liveblog. It is very important to share knowledge about the origins of hacks with other educational institutions, since cooperation and continuous knowledge and information sharing are crucial to effectively combating cyber risks. This has been done in this case as well. See also the answer to question 5.

3. Is it true that in this hack very sensitive data such as medical and personal data of HAN students were captured as a result of the cyber attack? If so, can you provide an overview of the extent of this data and exactly what data was captured? If no, why not?

HAN informed me that the hacker had accessed an environment where a lot of personal data was available and published an overview of the leaked data on its website han.nl/datalek on Oct. 5. This overview was attached to a press release issued on the same day. The overview shows that 95% of the cases involved general personal data such as address or telephone numbers. A small percentage of the potentially affected data (3%) involves more personal data including information about the reason for study delay or special circumstances that the university wants to take into account.

4. Has the data theft already been reported to the Autoriteit Persoonsgegevens (AP)? If so, has there been further contact between HAN and the AP? If no, why not?

Yes. HAN immediately informed the AP as soon as it became aware of the data breach. This (preliminary) notification was made by HAN's Data Protection Officer on September 1. As soon as there were new developments and the provisional notification could be supplemented, the AP was always informed.

5. At the time of the hostage software attack, was HAN in contact with the sectoral computer emergency response team SURFcert for (technical) support? If so, did HAN initiate this contact? If yes, what came out of this contact in terms of support from SURFcert?

HAN has informed me that there was no question of hostage software (see question 2). As soon as HAN became aware of the data breach, HAN contacted SURFcert on September 1. SURFcert supported HAN with analyzing the incident. In doing so, the Indicators of Compromise (IOCs) were shared with SURFcert and its affiliated institutions.

6. Was there a dialogue between HAN and the hacker in question about whether or not to pay the ransom amount demanded? If so, did HAN involve the police in conducting this dialogue? If no, why not?

HAN has informed me that contact has been made with the hacker. HAN did not accede to the demands for the ransom. As soon as HAN learned of the data breach, it immediately contacted the police and also filed a report.

7. Is it true that the stolen data was published? If so, where and were the students and staff informed of this? If no, why not?

As far as we know, no data have been published. Because it is not known exactly what data has been captured, HAN has decided, as a matter of care and precaution, to inform anyone whose personal data may have been captured.

8. Can you estimate the (intangible) damages and costs this cyber attack has caused so far?

This estimate cannot be given as yet. The work at HAN is ongoing. This involves external experts in addition to our own staff.

9. Is it true that HAN was called an "easy target" by the hacker in question? If so, how do you assess this statement? Do you share the opinion that it is very worrying that a Dutch higher education institution is labeled in this way by cyber criminals?

The hacker's statement was penned by a journalist. I cannot judge that. HAN pays close attention to IT security in its operations. This is evidenced by, among other things, the presence of various preventive, detective, responsive and corrective measures. Examples include the regular performance of penetration tests by ethical hackers, the connection to the Security Operations Center solution provided by SURFsoc and the presence of offline backup facilities. In addition, the awareness of employees and students about information security is regularly raised through campaigns. SURF also participated in the national SURF OZON exercise on 18 March of this year. The planning & control cycle is used to ensure further growth in maturity in the area of information security in order to respond to the continually changing cyber threat landscape facing the education sector.

10. Do you share the opinion that this cyber-attack and in particular the seizure of sensitive medical data of more than 2,000 students is a very serious invasion of the privacy of the students in question? Do you share the opinion that it is desirable for students who have become victims to receive support about possible dangers regarding identity fraud and how to deal with any psychological impact involved in the disclosure of this type of sensitive data, for example from the Fraud Helpdesk? If so, can you pass this along to the HAN board? If not, why not?

Personal data and special personal data are protected through the relevant legislation (AVG). That data of a medical nature was involved in the data breach is of course particularly regrettable. HAN has informed all potentially affected individuals of the data breach, with those whose potentially sensitive data was involved being informed first. A team of professionals has been on hand from the time of notification to answer any questions. If, based on responses, it is suspected that additional aftercare is needed, people are made aware of the various facilities HAN has in this area such as student psychologists. HAN also monitors whether further follow-up may need adjustment.

11. Do you share the view that educational institutions should do more to prevent such cyber attacks? If so, do you also share the view that, for example, minimum security requirements should be considered in order to get digital hygiene in order? If so, how is this consistent with your previous statements that the responsibility of good business practices lies with the institution itself and thus, in principle, they themselves are responsible for mitigating their own cyber security vulnerabilities? If no, why not?

Colleges have intensified their approach in recent years based on increasing threats. The hack at Maastricht University, as well as other incidents, has made the sector realize the importance of digital security and good preparation. In my letter of September 28 last, I outlined what measures the sector and I have already taken and which are in the pipeline.(2)

12. Can you answer the above questions before the yet to be scheduled committee debate "Digitalization in Education"?

Yes.

Footnotes

(1) RTL News, 05/10/2021; https://www.rtlnieuws.nl/nieuws/nederland/artikel/5258411/han-hack-datalek-psychische-problemen-medische-informatie
(2) Parliamentary paper 'Digital resilience in higher education and research and in secondary vocational education | 28-09-2021.