Over the next few days, additional information will be provided here, including the questions asked with corresponding answers. If necessary, terms will be explained in reference to the communication about the ID-ware data breach.
FAQ data breach
Whose data has been leaked?
It does not concern student cards, only HU cards. Employees who were employed by the HU on 01 July 2021 and students – for example HU-interns – who received an HU card before 01 July 2021 are included in the file that was leaked. This means, that everyone who has entered employment after 01 July 2021 and who has received an HU card, is not included in the file in question.
These dates are an adjustment of the dates previously mentioned. Our own analysis has shown to our regret that ID-ware has added these employees to the file that was created in March 2021. We will call ID-ware to account for .
My visitors receive an HU card when they enter the building or park their car. Is their information also leaked?
No. It really only concerns the HU cards sent to HU employees by post and not the day passes issued through our reception.
How can you be certain that students have not been affected?
Access cards are only issued to employees and students who have an HU card for specific reasons. The supplier ID-ware does not create student cards and therefore has no student data at its disposal.
Has the breach been fixed?
ID-ware has confirmed that the breach has been fixed and that no more HU data can be stolen.
What data has been leaked?
The following personal details were compromised in the data breach:
- personal number (internal system number, so not the employee number)
- forename
- surname
- address
- postal code
- place of residence
- HU access card number
In the case of holders of company cards, only people’s names and personal numbers were leaked.
What is a personal number and what can a hacker do with it?
This is a number generated by the system, used only within the HU. That number is used to connect accounts in one HU system to another. They are traceable to individuals only within those systems, but not if – as was the case with ID-ware – you only have one single file. With this, a hacker has insufficient information to do anything with it.
Why did the HU share data like my home address with an external party?
ID-ware was commissioned by the HU to create the cards and to post them to our employees. That is why ID-ware also needed the home addresses of HU employees.
How does the HU check whether other parties/suppliers are secure?
The HU follows a privacy policy, in order to handle personal data with care. For example, we draw up processing agreements with suppliers, in which we agree what personal data they are allowed to process and how they are required to protect our data (technical and organisational measures). We have also established such a processing agreement with ID-ware.
Why is this data still available? What checks has the HU carried out to ensure that agreements were met by the supplier?
Agreements have been made with the supplier, and tightened up where necessary, on how we handle your personal data. When setting up the process, we worked with the supplier to determine what data they needed in order to be able to create and deliver the cards. This included determining when this data had to be removed again. The basic principle is that the home addresses of employees are removed by the supplier as soon as the card has been activated. Unfortunately, we have had to conclude that this did not go well when the new cards were created in March 2021. In addition, ID-ware has not removed the personal data of the new cards in the period April – June 2021.
After 01 July 2021, work has been performed according to agreements and home addresses are removed immediately after activation of the cards. The HU has called the supplier to account for their actions.
These dates are an adjustment of the dates previously mentioned. Our own analysis has shown to our regret that ID-ware has added these employees to the file that was created in March 2021. We will call ID-ware to account for their actions.
Why did it take so long to inform all employees?
At the time we were informed by the supplier, we conducted our own investigation into who was affected by the data breach. After the conclusion of this investigation, we informed everyone affected. In the meantime, we posted a general notice on the intranet stating that we were investigating the data breach.
How does the HU handle compensation for damage suffered?
If you have suffered damage as a result of the data breach, it is important to substantiate what damage you have suffered and how that damage relates to the data breach. In other words, to demonstrate that the damage was caused by the data breach. We will be happy to look into this with you further, after receiving this information from you.