Employee , Student
20/10/2022

Thousands of TU/e staff and students’ personal data exposed

Due to a breach at access card company ID-Ware, thousands of TU/e’s personal data are now out in the open. This concerns the data of both students and employees. Today, the people affected were alerted by email.

by Bridget Alcione Spoor

photo Pixabay

Back in September this year, there was a hack in which data was stolen from ID-Ware. At that point, it seemed to involve just a limited amount of data, and the people affected at the time were notified on October 8. This was not given much publicity. However, it has now been revealed that the breach is much worse than initially thought, and TU/e was informed of this on October 14. There is no mention anywhere of exactly how many people were affected by the leak, but the warning email was sent university-wide and the community consists of over 20,000 people, and of course, the company ID-Ware also produces cards for other organizations and processes personal data for them as well.

The data stolen varies from person to person, but it may involve one or more of the following:

TU/e ID
Initials
Last name
Address
Residence
Student number if applicable
Place of birth
Private email address

The stolen data can be found on the dark web if you know how to search there.

Risk of identity fraud

Campus cards will remain active and students and staff may continue to use them. ID-Ware did not have access to passwords of TU/e accounts, so these data were not leaked. This breach could have major consequences, such as identity fraud; but the data could also be used for phishing or spam. Therefore, it is advisable to be extra alert to this, as is also mentioned in the warning email. Anyone who has become aware of any form of identity fraud is advised to report it to the Central Identity Theft and Error Reporting Center.

Reporting the breach

The email to the TU/e community, which was signed by the Executive Board, does not say anything about consequences for the ID-Ware company, nor whether this leak was reported to the Dutch Data Protection Authority, a mandatory requirement for data breaches of this kind. ID-Ware’s statement also does not explicitly mention the Dutch Data Protection Authority, but it does say that the company keeps in close contact with ‘the police, government and National Cyber Security Center’. There is a high penalty for neglecting to report data breaches in a timely manner. Reporting a data breach does not automatically result in a fine or other penalty.

Share this article

Employee Student
26/01/2023

Internal investigation into ID-Ware leak made public

“Stop processing people’s place of birth, date of birth and sex for the campus card process.” This is the first recommendation in the report by Bas Schellekens, TU/e’s independent Data Protection Officer, who carried out an internal investigation into the leaking of data of thousands of campus card holders in October 2022. The leak originated from card provider ID-Ware, which had been hacked. What could or should the university have done to minimalize risks?

view article

Employee Student
23/11/2022

Many questions about data breach at ID-Ware remain unanswered

When did the university start sharing home addresses of students and staff members with ID-Ware, so that the campus cards could be sent to people’s home address? According to the spokesperson for the Executive Board, ID-Ware has been sending “the bulk of the cards” made for new students by post “for many years.” The company required the addresses for this. The exact year in which this practice started has not been made public. There is also “no basis at this point to conclude that the sharing of address details of personnel started prior to 2021,” the spokesperson says. Cursor’s request to gain access to a full overview of all personal data provided by TU/e to third parties, including ID-Ware, was rejected. The University Council also submitted questions. TU/e’s own, internal investigation is still ongoing.

view article

Employee Student
22/10/2022

Why is place of birth required information for a campus card?

Cursor has received many signals from within the TU/e community that people want to know why ID-Ware had access to so many categories of personal data that may at first appear irrelevant for a campus card. Home and private email address and place of birth are some clear examples of this kind of information. We at Cursor wondered the same thing when we read last Thursday’s email about the leak and decided to approach both TU/e and ID-Ware with some questions.

view article

Risk of identity fraud

Reporting the breach

Discussion

Send Comment

Tags

Most read articles