Among other personal data, medical data was also captured in the hack of the Arnhem Nijmegen University of Applied Sciences (HAN) last Sept. 1. The educational institution released the findings of its investigation into the data breach last Tuesday. In it, they indicate that the hacker had access to general personal data such as name, address, place of residence, e-mail address and phone number, as well as more specific information. The server penetrated by the hacker contained more than 530,000 unique e-mail addresses.
HAN indicates that highly privacy-sensitive personal data were also leaked for 3% of the affected students. These include passport and ID numbers, passwords, and reports of disability or study delays.
Students could report, for example, psychological complaints in a web form so that these could be taken into account by the trainer. Unfortunately, it seems that the hacker also had access to this information. Data from a political survey might also have been leaked, which means that some students' political preferences may even have been known to the hacker.
The students involved have all since been notified. In addition, the educational institution also reported the incident to the police immediately after the hack and reported it to the Autoriteit Persoonsgegevens (AP).
The HAN indicates that the amount of 10,000 euros ransom, which is circulating in the media, is incorrect. They say the hacker demanded a multiple of that amount. RTL news reportedly got hold of the extortion notice and in it the hacker, who calls himself "masterballz," asks for 4 bitcoin in ransom. This amounts to about 156,000 euros.
The HAN does not want to say anything else about the amount. They indicate that they did not respond to the extortion because payment maintains this type of cybercrime and there is no guarantee that the hacker really does nothing with the data after payment.
It is unclear what the hacker has since done with the stolen information. It could be that the data is published or sold on the dark web. Cybercriminals could use the personal data to extort money from (former) students through phishing. It is therefore important for affected individuals to be aware of the leak and stay sharp for suspicious messages.
