Security Awareness Week
My plan was to write a column on the new Times ranking. Once again, TU/e does not fare well, outranking only Tilburg and Twente. But I understand that we’d rather not talk about this ranking. I started by comparing TU/e to MIT – who was it that once called us ‘MIT by the Dommel’? – only to find out that we cater to the same number of students with just a third of the staff and a tenth of the budget that they have. Frustrated, I started filling out security awareness surveys.
Not one, but two online surveys had been set up and I’d received an email from ‘firstname.lastname@example.org’, aka Martin de Vries, TU/e’s Chief Information Security Officer, politely requesting me to complete them. The email contained personal links to a third-party website (knwobe4.com), which I could then access using my TU/e login credentials.
Once I was logged in, I first had to deactivate my pop-up blocker in order to answer questionnaires chock-full of double negatives. Nevertheless, I did my duty. One of the questions was about how careful I usually am when it comes to links in emails. Unfortunately, I didn’t get to see if I got everything right, but I did receive a new email with a link to video clips from ‘The Inside Man’.
A few days later, there was an email from ‘email@example.com’ in my inbox. That email address doesn’t even exist, but it redirects to ‘firstname.lastname@example.org’. Apparently, TU/e’s access card system is outsourced to a third party and that party had been hacked. I proceed to read the contents, feeling slightly suspicious.
I’m kind of hoping that this is a fake phishing email as part of Security Awareness Week, since this email contains links as well. I’ve learned to always carefully check where those links lead to, but I can’t, as they both direct to tracking.tue.nl. Of course, we’d like to know who clicks on which link, and when.
Unfortunately, the hack turns out to be real and an external party (ID-Ware) is apparently in possession of a lot of my personal data. Because in order to print an access card, TU/e provides ID-Ware with my employee number, my name, address, residence, place of birth and private email address. But there’s also good news; they don’t have my passport photo. Not that it would be of any use to them, because on that twelve-year-old photo, I still had hair.
I’m very surprised that TU/e is apparently happy to spread personal data around to third parties who have absolutely no need for them, and certainly shouldn’t be storing them. So the real data breach is not with ID-Ware, but with TU/e itself. I think the administration should take a course in security awareness.