Users

IT CRIMINALS HAD ACCESS TO A FEW USERS’ SENSITIVE INFORMATION

A quick reaction from Aalborg University (AAU) meant that only a few employees' sensitive personal data was compromised when IT criminals hacked into Aalborg University's IT system. This is the result of the investigation initiated by the AAU immediately after the shutdown on 4 August. The compromised data concerns salary information of 28 employees or former employees, and passwords of 15 students and employees. Those affected are now being informed in a letter.

In addition, the university's investigation shows that about 30,000 users are affected by the incident, as the IT criminals have had access to the university's network and user database (Active Directory). The user database primarily shows general personal data, which is publicly available on Aalborg University's website. Additionally, it contains passwords in encrypted form (password hashes) and, for some users, mobile number for multifactor authentication.

Aalborg University is currently notifying everyone with a user profile in the university's user database whose general or sensitive personal data has been compromised.

PERSONAL DATA COLLECTION WAS NOT THE MOTIVE

It has been assessed that the intention of the illicit access was to gain access to the university's other IT systems, as well as to acquire knowledge of the university's IT infrastructure, to be able to blackmail the university with the threat of carrying out a targeted ransomware-attack, concluding that exporting personal data was not the motive behind the attack. This assessment is based on the methods, hacker activities, and tools used by the IT criminals in relation to the attack.

On this page, we will inform affected users with additional information and topics on which we might receive many inquiries.

In case you do not find needed answers in the email that we send you directly, or on this page, please contact us at: GDPR-information@aau.dk

  • +

    ENCRYPTED PASSWORDS AND PASSWORD HASHES

    In the press release and the notifications to affected users, we briefly mention encrypted passwords and password hashes.

    In this article, you can learn more about the two concepts:

    MD5, SHA-1 eller Scrypt: Er dine brugeres kodeord (forsvarligt) krypteret? (Danish)

  • +

    IS MY INFORMATION BEING MISUSED?

    Aalborg University has no reason to believe that any personal data is or will be misused, as investigations of the cyberattack show that the attack relates to a potential ransomware attack and economic blackmailing of the university.

    However, you should, as a precaution, pay extra attention to any indications that your information could be misused. Find more information here: www.sikkerdigital.dk/borger/ (Danish).