“To the extent that we have had time to analyse the content, most of the information leaked is harmless from an IT security perspective, but some personal data has been identified in the material, such as user names, first names and surnames, and in certain cases more sensitive information,” says Per-Olof Andersson, acting Chief Information Officer.

The individuals affected are primarily employed at University IT Services, but the leaked material includes the first names, surnames and user names of other people at the University as well as a few people outside the University. The incident has been reported to the University’s data protection officer, the Swedish Civil Contingencies Agency and the police.

Take a look at your security routines

“Employees and others engaged at the University do not need to take any special action in response to the incident. However, as always, it’s important to choose a good password, manage your password securely and never share it with anyone else. It’s also important to keep your computer updated and only use it for work-related tasks. Games and other software used in your spare time do not belong on your work computer,” Andersson says.

The fact box below tells you more about what you personally can do to contribute to greater IT security.

The hacker attack occurred on 10 July and Uppsala University was informed by the SUNET security centre on 14 July that information from two of the University’s systems, the Jira issue tracking system and the Confluence documentation tool, was available for downloading on the internet. Both of these systems are mainly used by University IT Services. SUNET provides services including internet connections for all higher education institutions in Sweden.

Hijacked user account used for access

The attack was quickly traced to a hijacked user account, which was blocked. External access to the systems concerned was limited. To secure the IT environment, the passwords for administrator accounts at University IT Services were then changed. Analysis is in progress to determine how the account was hijacked.

The material was downloaded using an IP address from Russia and according to information from the SUNET security centre, the material was shared on the internet by a Russian actor.

Following the attack, a group has been working to check whether any critical information got out. The current assessment is that the University’s IT environment is now secure after the actions taken following the attack. However, the group is continuing its analysis and if it turns out that any individual employee has been affected, they will be contacted directly for necessary action.

What consequences could the attack have?

“A follow-up group will analyse further action when the incident is closed to reduce the risk of similar intrusions in the future. Possible measures include speeding up the introduction of multi-factor authentication and requiring a VPN connection for additional systems. Another potential consequence is action to limit external access to sensitive IT systems at the University.”

Multi-factor authentication means that users have to use at least two different verification factors to log in to IT systems. One example would be a physical login card combined with a password.