Not one, but two online surveys had been set up and I’d received an email from ‘securityawareness@tue.nl’, aka Martin de Vries, TU/e’s Chief Information Security Officer, politely requesting me to complete them. The email contained personal links to a third-party website (knwobe4.com), which I could then access using my TU/e login credentials.

Once I was logged in, I first had to deactivate my pop-up blocker in order to answer questionnaires chock-full of double negatives. Nevertheless, I did my duty. One of the questions was about how careful I usually am when it comes to links in emails. Unfortunately, I didn’t get to see if I got everything right, but I did receive a new email with a link to video clips from ‘The Inside Man’.

A few days later, there was an email from ‘databreaches@tue.nl’ in my inbox. That email address doesn’t even exist, but it redirects to ‘privacy@tue.nl’. Apparently, TU/e’s access card system is outsourced to a third party and that party had been hacked. I proceed to read the contents, feeling slightly suspicious.

I’m kind of hoping that this is a fake phishing email as part of Security Awareness Week, since this email contains links as well. I’ve learned to always carefully check where those links lead to, but I can’t, as they both direct to tracking.tue.nl. Of course, we’d like to know who clicks on which link, and when.

Unfortunately, the hack turns out to be real and an external party (ID-Ware) is apparently in possession of a lot of my personal data. Because in order to print an access card, TU/e provides ID-Ware with my employee number, my name, address, residence, place of birth and private email address. But there’s also good news; they don’t have my passport photo. Not that it would be of any use to them, because on that twelve-year-old photo, I still had hair.

I’m very surprised that TU/e is apparently happy to spread personal data around to third parties who have absolutely no need for them, and certainly shouldn’t be storing them. So the real data breach is not with ID-Ware, but with TU/e itself. I think the administration should take a course in security awareness.