Earlier this month, the board of Maastricht University admitted that it had paid €197,000 to hackers who carried out a major cyberattack just before Christmas last year. Failure to make the payment could have left the university unable to resume its education and research activities for months.
According to the minister, the ransom money and “all other costs connected with the ransomware attack” were paid from “the sale of a participation of the holding of Maastricht University”. She emphasizes that universities and universities of applied sciences are responsible for their own information security.
The question is what those other costs exactly entail. Do they for instance include costs for the assistance provided by security company Fox-IT, which investigated what had gone wrong after the cyberattack?
A Maastricht University spokesperson confirmed that this was correct. “The costs covered the engagement of third parties, like Fox-IT, as well as temporary security measures involving additional IT staff. Nevertheless, all future costs incurred to improve the university’s digital security will be drawn from the regular budget.”
He also asserts that it has never been a secret that the ransom money was not paid from education and research funding. But this fact has thus far not been disclosed in most of the media reports about the cyberattack. Only the Financieele Dagblad mentioned this in an interview with the Vice-Chair of the University, Nick Bos, following a press conference held on 5 February.
No ransom money
The minister has revealed for the first time that the government advised Maastricht University in December not to pay any ransom money to the hackers. “Before the university took the step to make the payment, I informed them that the government’s stance is that no money should be given to criminals,” writes Van Engelshoven. But the board decided otherwise.
The Education Inspectorate is currently investigating the cyberattack in Maastricht and digital security in the entire higher education sector. The minister expects this investigation to be completed after the summer.
The institutions themselves are not sitting idly by. Already before the summer, they will be presenting a plan for additional security measures, such as more internal and external inspections, and informing both staff and students better about the threat of cyberattacks.
SURF, a Dutch ICT cooperative, recently warned that Dutch education and research is becoming increasingly vulnerable to cybercriminals. Academic institutions must do everything in their power to safeguard against the threat of cybercriminals.