A quick reaction from Aalborg University (AAU) meant that only a few employees' sensitive personal data was compromised when IT criminals hacked into Aalborg University's IT system. This is the result of the investigation initiated by the AAU immediately after the shutdown on 4 August. The compromised data concerns salary information of 28 employees or former employees, and passwords of 15 students and employees. Those affected are now being informed in a letter.
In addition, the university's investigation shows that about 30,000 users are affected by the incident, as the IT criminals have had access to the university's network and user database (Active Directory). The user database primarily shows general personal data, which is publicly available on Aalborg University's website. Additionally, it contains passwords in encrypted form (password hashes) and, for some users, mobile number for multifactor authentication.
Aalborg University is currently notifying everyone with a user profile in the university's user database whose general or sensitive personal data has been compromised.
PERSONAL DATA COLLECTION WAS NOT THE MOTIVE
It has been assessed that the intention of the illicit access was to gain access to the university's other IT systems, as well as to acquire knowledge of the university's IT infrastructure, to be able to blackmail the university with the threat of carrying out a targeted ransomware-attack, concluding that exporting personal data was not the motive behind the attack. This assessment is based on the methods, hacker activities, and tools used by the IT criminals in relation to the attack.
On this page, we will inform affected users with additional information and topics on which we might receive many inquiries.
In case you do not find needed answers in the email that we send you directly, or on this page, please contact us at: GDPRemail@example.com