Information about IT systems after critical IT incident

PRESS RELEASE: ANALYSIS COMPLETED: QUICK RESPONSE AVERTED MAJOR DAMAGES

AALBORG OCTOBER 1, 2020

After the hacker attack at Aalborg University, the subsequent analyses have now been completed. There is still no evidence that IT criminals intended to collect personal data but instead had financial blackmailing as a motive. A fast and extensive reaction by the university halted the attack and limited the impact on the university, our staff, and students.

Since Aalborg University on the 4th of August closed the access to all IT systems, the university has carried out in-depth analyses and continuously informed about its results to the Danish Data Protection Agency, the public, and affected users whose data was compromised. The analyses are now complete.

A quick response, along with the advice of top experts concerning the hacker attack, has apparently averted any major damages.

- ”The hacker attack has made us pay even more attention to security. It should not be able to happen again. Therefore, Aalborg University's students and employees have made new and stronger passwords. In addition, technical measures have been implemented, which both ensure better protection against similar attacks in the future and also provide a better opportunity to identify future attempts to compromise Aalborg University's systems.”, says University Director Antonino Castrone.

Personal data collection was not the motive

Aalborg University still has no reason to believe that the purpose of the attack was to collect personal data.  The investigations into the hacker attack show that the attackers have used methods, hacker activities, and tools known from targeted ransomware attacks for financial extortion. Aalborg University has informed those whose personal data information has been compromised, just as the hacker attack has been reported to the Danish Data Protection Agency and reported to the police.

Based on the completed investigation, it can be concluded that the IT criminals have accessed the following areas where personal data have been available:

  • Aalborg University’s user database (Active Directory) with all Windows accounts (30,907 accounts). Only general personal data was accessible from the user database. Here you can read about the definition of personal data.
  • For 823 employees in Aalborg University's user database (Active Directory), the IT criminals have also copied current and up to 24 previously used password hashes per user account. Here you can read about password hashes.
  • 5 system administrators' user accounts and the contents of their associated email accounts. The assessment is that the IT criminals have thus tried to gain knowledge of the university's IT infrastructure. This included access to the system administrators' own and close colleagues' notifications of illness (For example: "I am sick with influenza, so I am not coming to work today").
  • An xml file created in 2015 in the Budget System Prophix, which contains general personal data of 28 employees and former employees of Aalborg University.
  • An SQL query from spring 2020, in which there was general personal data about 202 employees at Aalborg University consisting of names, initials, work emails, and usernames.
  • Finally, the IT criminals have gained access to 10 user accounts. The investigations show that IT criminals have only used these user accounts to access the AAU network.

-”Of course, we take it very seriously when personal data comes into the hands of unauthorized persons, but having said that, we are also very relieved that our processes and monitoring have worked in such a way that we could detect the illicit intrusion early and thus avert a major crash.”, says University Director Antonino Castrone.

Aalborg University considers it relevant to point out that the IT criminals have not gained access to research data at Aalborg University.

Aalborg University has completed the analysis work in relation to the hacker attack, and the university's final conclusion has now been reported to the Danish Data Protection Agency.

For more information see www.its.aau.dk/beredskab

Further information: Chief Advisor Bo Jeppesen, tel. 6140 4061

Press release: IT CRIMINALS HAD ACCESS TO A FEW USERS’ SENSITIVE INFORMATION

AALBORG, AUGUST 31, 2020

A quick reaction from Aalborg University (AAU) meant that only a few employees' sensitive personal data was compromised when IT criminals hacked into Aalborg University's IT system. This is the result of the investigation initiated by AAU immediately after the shutdown on August 4th. The compromised data concerns salary information of 28 employees or former employees, and passwords of 15 students and employees. Those affected are now being informed in a letter.

In addition, the university's investigation shows that about 30,000 users are affected by the incident, as the IT criminals have had access to the university's network and user database (Active Directory). The user database primarily shows general personal data, which is publicly available on Aalborg University's website. Additionally, it contains passwords in encrypted form (password hashes) and, for some users, mobile number for multifactor authentication.

Aalborg University is currently notifying everyone with a user profile in the university's user database whose general or sensitive personal data has been compromised.

PERSONAL DATA COLLECTION WAS NOT THE MOTIVE

It has been assessed that the intention of the illicit access was to gain access to the university's other IT systems, as well as to acquire knowledge of the university's IT infrastructure, to be able to blackmail the university with the threat of carrying out a targeted ransomware-attack, concluding that exporting personal data was not the motive behind the attack. This assessment is based on the methods, hacker activities, and tools used by the IT criminals in relation to the attack.


INCREASED SECURITY REQUIREMENTS

- Although personal data in itself does not appear to be the motive behind the attack, we obviously take it very seriously that IT criminals have had access to our network and the personal data of employees and students. We are glad that we discovered the attack this early so that only a few out of many users have had their sensitive personal data compromised. After the attack, we immediately closed access from and to the internet and then ensured that all users changed their password. We have increased monitoring on all systems, and we are proceeding with scheduled security measures, as well as following the controlled plan for a safe reopening of access to the IT systems. Specifically, from now on, both employees and students will meet increased security requirements for e.g. passwords and multifactor when they access and use IT systems at AAU, says University Director Antonio Castrone.

For further information, see en.its.aau.dk/alert

Press Contact: Chief Advisor Bo Jeppesen, tel. 61404061

 

Temporary data hotline

We are following the plan for reopening access to all systems and services. Before a system/service can be reopened, an extensive check-up procedure needs to be introduced.

Therefore, we have set up a temporary data hotline to ensure that activities, that are very important to AAU the next 14 days, will be prioritized.

The temporary data hotline can be contacted at tel. + 45 9940 7000

The phone is open every weekday from 8-15.30.

The service is temporary, and the hotline will be shut down when the systems operate as usual. 

NOW USERS WITHOUT NEMID, who are not able to meet in person, also CAN CHANGE PASSWORD

We are now ready to help employees and students, who do not have a NemID, and who are not able to meet in person, to change their password.

Please, call ITS Support at + 45 9940 2020. Of course, there is also by this method a user verification demand. ITS Support will guide you through the verification steps.

See addresses and opening hours for ITS Support

USERS WITHOUT NEMID NOW ALSO CAN CHANGE PASSWORD

We are now ready to help employees and students, who do not have a NemID, to change their password.

Please, come to one of ITS’ local service desks in person and bring photo identification (passport) and AAU card. When your ID has been approved, we will help you to change your password.

See addresses and opening hours for ITS service desks

If you are not able to show up at campus at this time in order to change your password, please be patient and wait for further instructions.

In order to find information about the upcoming semester, please visit www.newstudents.aau.dk or contact your study secretary.

YOU CAN NOW CHANGE YOUR PASSWORD WITH NEM-ID

We are in the process of reopening access to AAU's IT systems.

In order to access AAU's IT systems again, you must first change your password to one you have never used before.

You can change your password at nyadgangskode.aau.dk.

If you are physically on campus, your PC will have difficulty connecting to the network, so we recommend that you use your mobile phone.

Since all AAU users have to change their password, you may experience some waiting time on the system. Keep trying until you succeed.

If you are employee at AAU, you must use a VPN connection or be present at the campus to access systems at AAU. Initially you will have access to mail, phones, Office365 and selected administrative systems. Following access to systems will be granted gradually.

If you are a student at AAU, you must change your password and you will have access to mail and Office 365. Educational systems will be accessible as soon as possible.

You can see additional guidance on en.aau.dk, and if you need more help, please contact ITS Support at Tel. +45 9940 2020.

We apologize for the inconvenience and appreciate your patience and understanding.

  • +

    Press release: No confidential, sensitive personal data or research data leaked from AAU

    Aalborg, 12 August 2020  

    Since Aalborg University shut down access to all its IT systems on Tuesday night in the face of a hacker attack, in-depth analysis has been done on more than 100 GB of log data from more than 500 systems. All indicators continue to point to the fact that no confidential, sensitive personal data or research data was leaked. 

    Aalborg University is nearly at the end of this extensive review. The analyses are part of the investigative work following a series of incidents that sounded the alarm at the university’s IT department. For security reasons, Aalborg University quickly took action and shut down access to IT systems. Analyses have shown that the series of seemingly one-off events were connected and that this was a sophisticated, targeted hacker attack. More specific information on how hackers accessed AAU systems is not being published at this time for security reasons as it could be used by others or the same people. 

    - Our method of IT security at AAU takes a better-safe-than-sorry approach. Therefore, when we find activity that does not immediately appear normal, we and our security firms put it under the magnifying glass. Our analyses quickly led us to close off the Internet and we are now in the process of a controlled reopening of access to all systems. If at another time we find irregularities that, for security reasons, make it appropriate to interrupt system contact to the outside world via the Internet or that we need to have even more complex passwords, we will also not hesitate to take such decisions, says Antonino Castrone, University Director.  

    Opening access to IT systems is taking place in a controlled manner according to a step-by-step plan, and all staff and students are in the process of changing their password in order to access the systems again. Aalborg University is therefore in control of the systems, but continues to work on the final part of the analysis and investigation.  

    - We are well along in the process of access to most systems again. Our analyses show that no data – neither sensitive personal data nor research data – was compromised. We have, of course, intensified our surveillance for now as we want to remain extra attentive. We had already launched a number of planned security projects before this incident, and of course we are also continuing these, says Antonino Castrone. 

    Aalborg University reported the incident to the police, and submitted a report to the Danish Data Protection Agency as required by law. The notification to the Danish Data Protection Agency, which was due soon after the attack was detected, states there is potentially a risk that the hackers had access to personal sensitive information and to research data. However, following the numerous analyses that Aalborg University has performed in recent days, there are no indications at this stage that any such leak took place. Information has also been provided to DKCERT, which also has contact with the Centre for Cybersecurity at the Danish Defence Intelligence Service. The security staff of the other Danish universities are also being regularly apprised of the situation in the interest of extra attention to similar irregularities in their own IT systems and thus rapid response. 

    Students and staff at Aalborg University will – continually and in line with the step-by-step opening of access to systems – see all functions in systems and services running again. The expectation is that everything will be operating normally before the beginning of the new academic year.

    Press Contact: Bo Jeppesen, Senior Advisor, Tel: 6140 4061 

  • +

    We receive a lot of requests and do our very best to get back to all of you as soon as possible

    At the moment we receive a lot of requests and do our very best to get back to all of you as soon as possible.

    Meanwhile, we ask for your patience and understanding in this extraordinary situation.

    Kind regards

    ITS - www.en.its.aau.dk

  • +

    AAU users may experience limited functions in systems, that communicate via the Internet

    Please note: During the recovery phase, we have restricted Internet traffic between AAU and the outside world. This may cause AAU users to experience limited functions in systems, that communicate via the Internet.

  • +

    All examinations planned to begin or take place on the 7th of August are being postponed

    As a result of the current situation with AAU’s IT systems, it is still not possible to hold examinations, thus a number of examinations will be postponed:

    All examinations planned to begin or take place on the 7th of August are being postponed.

    For written examinations to be submitted on the 7th of August the deadline will be prolonged.

    The departments will inform students on how and when the affected examinations will be held.

    Examinations are expected to be hold as planned from Monday the 10th of August.

  • +

    Postponement of exams - you will be notified by your programme

    As a result of the current situation with AAU’s IT systems, it is not possible to hold examinations, thus a number of examinations will be postponed:

    All examinations planned to begin or take place on the 5th and the 6th of August are being postponed.

    Written examinations to be submitted on the 5th or the 6th of August will either be postponed or the deadline will be prolonged.

    The departments will inform students on how and when the affected examinations will be held.

  • +

    Press release from Aalborg University, Wednesday 5 August

    Aalborg University starts opening access to IT systems again

    During Wednesday afternoon it will again be possible for staff and students to log on as AAU users. Initially, email accounts and phones will be accessible.

    As previously reported, Aalborg University (AAU) suffered a critical incident in our internal IT infrastructure. Since we suspect a cybercrime, the university decided to shut down all IT systems yesterday, Tuesday 4 August 2020.

    With the rapid response to the incident and closure of university IT systems across locations and areas, it seems that the university has been able to contain and limit the incident.

    At this stage in our analyses of the incident, we do not see that the AAU has lost sensitive knowledge such as research or sensitive personal data.

    - We can therefore begin today, Wednesday, a gradual reopening of our IT systems, initially email and phone systems. We cannot say right now how long it will take to get all IT systems functioning again, says Antonino Castrone, University Director.

    Out of 4,800 new bachelor students, about 300 are yet to confirm their study place. Their deadline is extended further by some days.

    There is currently no further information, but updates will be forthcoming through

    Facebook (facebook.com/AalborgUniversitet), Twitter (AAUItServices) and aau.dk.

    Press inquiries may be directed to Bo Jeppesen, Senior Strategic Advisor, Tel: 61404061