The Hogeschaal Arnhem Nijmegen (HAN) must pay former student Bram Kleisterlee damages of 300 euros because of a data leak. In the process, sensitive medical data ended up in the hands of hackers. As a result, the former student suffered damages. So says the District Court of Gelderland in its verdict that was pronounced and published on Wednesday.
For the beginning of this case, we have to go back two years. In September 2021, a hacker managed to infiltrate HAN's computer network. In doing so, he had access to personal and privacy-sensitive data of hundreds of thousands of students and former students. This included first and last names, addresses, e-mail addresses, phone numbers, dates of birth and medical data. In addition, the attacker managed to get his hands on "several thousand" unencrypted passwords.
The perpetrator told the media that much of the stolen data came from contact forms filled out by students. He also said HAN was "an easy target. "These so-called experts don't understand anything, because all sorts of things are still open," he said of the data breach. He allegedly asked the college for a ransom, but HAN refused to pay.
Former HAN student Bram Kleisterlee was one of those affected by the data breach and was very concerned about what would happen to his medical data. For the inconvenience, he demanded compensation of 1,000 euros from the educational institution. HAN refused that and offered to hire a student psychologist. Kleisterlee did not agree to that, because he would have to share sensitive information with his old school again. So he started a lawsuit against HAN.
Wednesday was the verdict. The court ruled in favor of Kleisterlee. The judge ruled that HAN's security level at the time of the hack was insufficient. As a result, the university violated the General Data Protection Regulation (AVG). An SQL injection was at the root of the data breach, the HAN acknowledged. It is a common hacking method in which a hacker uses code to manipulate a database and gain access to sensitive information.
The court also ruled that the former student suffered damages because sensitive medical data ended up in the wrong hands. "The fact that the hacker was able to view/distribute this specific data is sufficient for assuming damages as a result of the breach of the AVG," the court said. That does not apply to the leakage of general personal data. While the plaintiff has received more spam and foreign phone calls from unknown numbers since the data breach, this has not resulted in damages. "Annoyance caused by this [does] not qualify for compensation," the ruling reads.
Because the loss of control over his medical records is permanent, the court decided to award Kleisterlee damages. The judge arrived at a sum of 300 euros. This is lower than the claimed damages of 1,000 euros. The reason is that the former student was unable to prove sufficiently that the data breach led to concrete negative consequences.
"I'm super happy. It's not about the money for me. It is especially very nice that such a large institution has now been called to order," Kleisterlee told De Gelderlander. He says he can close this chapter because of the court ruling. "The fact that even the judge now judges that HAN made mistakes shows that I was right. I can now better put a stop to it."
