The Dutch Autoriteit Persoonsgegevens AP) has imposed a fine of €175,000 on HAN University of Applied Sciences (HAN) for violating the General Data Protection Regulation (GDPR). An investigation by the AP revealed that HAN had failed to take sufficient measures in the past to adequately protect the personal data of students and employees, among others.
The AP launched the investigation in 2021 following a hack at HAN University of Applied Sciences and has now settled the case with the university. HAN will not appeal the fine.
In 2021, HAN reported a data breach to the AP. A hacker had gained access to a web server and a database server belonging to the educational institution via a web form. The hacker then threatened to make the data public and demanded a ransom from HAN, which was unsuccessful. The data included personal details such as addresses, names in combination with passwords, and social security numbers (BSN).
In order to protect personal data effectively, the organization that stores and uses this data must identify the risks associated with it. The organization must also assess the potential consequences if these risks materialize. Based on this assessment, the organization must take protective measures.
The AP found that HAN had failed in this regard. The digital security of the servers involved was insufficiently tailored to the risks. Furthermore, the access rights of a user account on the database server were not restricted at all. As a result, a vulnerability in a single application on the web server could lead to access to all data on the database server. The data breach does not in itself constitute a violation of the GDPR.
HAN acknowledges that the level of security of personal data on the servers in question was not adequate and that the university college therefore violated the GDPR. During and after the investigation, HAN implemented remedial measures to remedy the shortcomings. In doing so, HAN has ended the violation that was identified.
The AP has imposed a fine of €175,000 on HAN University of Applied Sciences. In determining the amount of the fine, the AP took a number of circumstances into account. For example, the AP considered that HAN had actively sought to identify the consequences for those affected and to remedy them where possible. HAN has also strengthened its digital resilience.
The AP appreciates that HAN, in its social role as a knowledge institution, has committed itself and will continue to commit itself to enabling other organizations to learn from the mistakes made. For example, HAN has provided information to other organizations. In line with this, HAN will organize a conference in 2026.
