[9.2.2023] Updated information in accordance with Article 34 of the GDPR

Staff Unit for Legal Affairs/Data Protection Officer

It was already communicated here that the University of Duisburg-Essen was the target of a large-scale cyberattack. This was also the case with the news that data had since been published. This information is intended to provide insights into what we currently know.

Chris – stock.adobe.de

Systems are successively being restored. We are pursuing our goal to return to normal operations at full speed and are sure that you have noticed how many things are already working again.

The criminals’ threat to publish stolen data has since become reality. The volume of data and the limited data transfer possibilities severely restrict our ability to assess it. Considerable time is therefore needed to establish a comprehensive overview. The data is located in an area that is not directly accessible (Tor network, ‘darknet’) and therefore cannot currently be found using a standard search engine. If you do notice that data from the hack has appeared on the public Internet, please let us know. Search engines have blocking mechanisms that make data harder to access, which UDE is implementing immediately.

We are providing step-by-step updates here about what we currently know about the data found. As explained above, our current knowledge is unfortunately not final and complete.

Student and graduate data:

A list of all students from the winter semester 2022/23 was published. This list includes names and contact details (postal address, UDE email, no telephone numbers), current semester of study, and which degree programme and faculty the student belongs to. There are also lists of graduates from recent years.

Therefore, risks may arise for individual students and graduates if their addresses should not be published for certain reasons (e.g. stalking).

In individual cases, for instance, semester papers and final theses, viewing reports for examinations and results lists for individual examinations or students’ transcripts of records or similar documents can be found. To date, no particular risks for the individuals affected have been able to be identified.

Personal directories:

In individual cases, personal directories of staff members have been published. These staff members are successively being informed when we have been able to identify them. It is not possible to immediately and easily identify who the directory belongs to. If further data is identified in these directories, further steps will be taken. Other individuals may also be affected by the contents of the official data stored there.

Research data:

Data from research contexts with a medical background has been found. In this case too, our aim is to inform individuals personally. The data (participant data) includes given names and surnames, and in some cases dates of birth, and is sometimes connected to medical examinations. In collaboration with the University Hospital Essen, a solution is currently being developed to identify the individuals concerned and then to contact them directly and inform them together with the research unit.

The following continues to apply:

You have hopefully seen that UDE is working to restore operations from various angles. Of course, fair and pragmatic solutions will be made available to mitigate the consequences, particularly in the occurrence of data theft.

It can also be assumed that access credentials were targeted in this attack. However, this data has not currently been published. We continue to recommend that you handle your access data with care. If you have not yet changed your password, do so immediately – also in order to be able to use the services that are available again.

Systems should currently be scanned for malware (using antivirus software) on a regular basis. For this purpose, a Sophos update server is now available internally once again. If malware is found or suspected, the system must necessarily be cleansed. If cleansing is not possible, the entire system must be reset. Please report such cases to isb.zim@uni-due.org.

Current information on these issues can be found on the website www.uni-due.de. The Data Protection Officer will also do his best to answer your questions. He can be contacted at kai-uwe.loser@uni-due.de.