The serious cyber attack on the UvA and AUAS did not result in any system failures, hijacking or ransom requests. During the past few weeks, all of the UvA and AUAS servers have been thoroughly investigated and cleaned up where necessary.
The attack was detected at an early stage by the Security Operations Centre (SOC), followed by immediate measures and forensic investigations. Within a short time frame, the hackers had infected over 50 of the more than 1,000 UvA and AUAS servers and installed options for encryption at a later stage. All of the servers are currently clean – the acute danger has passed.
“This attack shows once again that higher education is a target of focused attacks and that it is necessary to be on high alert,” says Jan Lintsen, member of the UvA Executive Board. “We are proud of our ICT department and pleased that our education and research could continue during this attack. It is important to share the lessons learned from this attack and to continue investing in good cyber security. We will certainly do that in the coming period,” says Hanneke Reuling, Vice-Chair of the AUAS Executive Board.
The UvA and AUAS have filed a report with the cybercrime police and have also notified the Dutch Data Protection Authority. The police investigation is ongoing.
There are currently no indications that the hackers were after personal or general data. Because the attackers did have access to a number of systems and the encrypted passwords, all users were asked to change their passwords as a precaution. Some 110,000 employees and students responded to this call within a week and a half. Waiting times at the service desk were minimal.
The attack and the AUAS and UvA’s response to it will be extensively evaluated in the coming weeks, and there will be additional investigations where necessary. The lessons learned and recommendations will be shared publicly − particularly with other higher education institutions − after the investigation has wrapped up.
Recovery of services
The focus in the coming period will be on the recovery of ICT service provision for students and employees. Systems that have been cleaned up or turned off as a precaution will be made available again in phases. This is a process that will take several months and will be carried out in close consultation with the faculties and shared service units.