In mid-March, special “intrusion detection systems” at HHU identified an attack on the University’s IT systems. Via access data stolen from a small number of students, the criminals were able to gain access to the E-exam system and the records archived there, including exam questions and answers, the points for them and the names of around 15,000 students who have completed exams. However, the data records did not include the exam grades.
Manipulation of the exam data and grades has been definitively excluded: The hackers were unable to alter the exam results relevant for grading as the data required for the grading were exported from the system immediately after the exams. There are no indications to date that the hackers have downloaded data from the system.
The second set of data records affected by the attack included user data such as names and e-mail addresses; in the case of students, student ID numbers and subject information were also affected, and in the case of employees, also the organisational affiliation. Data belonging to more than 60,000 so-called “university usernames” were stolen. These “university usernames” belong to HHU students, employees, alumni and guests who have access to HHU systems.
The hackers had no access to passwords and other personal data, meaning that the corresponding accounts are secure and cannot be taken over by the hackers.
The attack was carried out using stolen access data, which were used to gain access to the HHU E-exam platform. A security flaw in this system enabled the hackers to obtain data, which are not otherwise accessible; the user data were also extracted via this route.
HHU implemented new security systems last year, which enabled the attack to be identified quickly and countermeasures to be initiated: The compromised student accounts were blocked within hours and the affected IT system was taken out of operation on the following day, ensuring that no further harm was done.
HHU has reported the incident to the responsible data protection supervisory authority and filed charges against persons unknown following the attack.
The stolen data do not allow any access to the accounts of other students or employees, or compromise further IT systems at HHU. The University takes the losses incurred very seriously and those affected will be informed as far as possible.