Image of a computer screen with the words

Information from two of the University’s IT systems has been published openly on the internet after a hacker attack this summer. Following the attack, various steps have been taken to enhance security. Photo: Getty images.

2023-08-14

Hacker attack against the University this summer

During the summer, the University was targeted by a hacker attack. Information from two of the University’s IT systems has been shared on the internet. Steps have been taken to secure the University’s IT environment and individuals affected have been contacted. Article updated with FAQ in the fact box 21 August 2023.

“To the extent that we have had time to analyse the content, most of the information leaked is harmless from an IT security perspective, but some personal data has been identified in the material, such as user names, first names and surnames, and in certain cases more sensitive information,” says Per-Olof Andersson, acting Chief Information Officer.

The individuals affected are primarily employed at University IT Services, but the leaked material includes the first names, surnames and user names of other people at the University as well as a few people outside the University. The incident has been reported to the University’s data protection officer, the Swedish Civil Contingencies Agency and the police.

Take a look at your security routines

“Employees and others engaged at the University do not need to take any special action in response to the incident. However, as always, it’s important to choose a good password, manage your password securely and never share it with anyone else. It’s also important to keep your computer updated and only use it for work-related tasks. Games and other software used in your spare time do not belong on your work computer,” Andersson says.

The fact box below tells you more about what you personally can do to contribute to greater IT security.

The hacker attack occurred on 10 July and Uppsala University was informed by the SUNET security centre on 14 July that information from two of the University’s systems, the Jira issue tracking system and the Confluence documentation tool, was available for downloading on the internet. Both of these systems are mainly used by University IT Services. SUNET provides services including internet connections for all higher education institutions in Sweden.

Hijacked user account used for access

The attack was quickly traced to a hijacked user account, which was blocked. External access to the systems concerned was limited. To secure the IT environment, the passwords for administrator accounts at University IT Services were then changed. Analysis is in progress to determine how the account was hijacked.

The material was downloaded using an IP address from Russia and according to information from the SUNET security centre, the material was shared on the internet by a Russian actor.

Following the attack, a group has been working to check whether any critical information got out. The current assessment is that the University’s IT environment is now secure after the actions taken following the attack. However, the group is continuing its analysis and if it turns out that any individual employee has been affected, they will be contacted directly for necessary action.

What consequences could the attack have?

“A follow-up group will analyse further action when the incident is closed to reduce the risk of similar intrusions in the future. Possible measures include speeding up the introduction of multi-factor authentication and requiring a VPN connection for additional systems. Another potential consequence is action to limit external access to sensitive IT systems at the University.”

Multi-factor authentication means that users have to use at least two different verification factors to log in to IT systems. One example would be a physical login card combined with a password.

Anders Berndt

FAQ

FAQ published 21 August 2023.

What has happened?

During the summer, the University was targeted by a hacker attack. A user account was hacked and information from case management and documentation systems used by University IT Services was shared on the Internet.

Is the hacker attack still going on?

No. The account that was hacked and used to access the systems was closed down immediately and the University’s IT environment was secured. In specific terms, access to the affected systems was restricted.

Could my personal data have been leaked?

The individuals affected are primarily employed at University IT Services. The affected systems are not used for storing account or personal data, but in spite of that the leaked material includes a number of first names, surnames and user names of other employees and students at the University as well as a few people outside the University. No sensitive personal data were leaked. Read about the difference between personal data and sensitive personal data on the Staff Portal.

When and how will I find out whether my own data was leaked?

Analysis of the material is still in progress, but if any individual person turns out to have been more specifically affected, they will be contacted directly. Information will be sent to everyone affected when the analysis of the material is completed.

Do I have to change my password?

Not specifically because of this incident, but it’s always a good habit to update your computer regularly, change your passwords and manage them securely.

Could my research data or other information that I have stored at the University have been leaked?

Analysis of the material is still in progress, but the systems concerned are mainly for administration in University IT Services, not for storing research data.

Does the hacker attack affect students at the University in any way?

So far, the analysis of the content shows that most of the information leaked is harmless, but some personal data such as user names, first names and surnames of employees and students have been identified in the material. No sensitive personal data were leaked. Read about the difference between personal data and sensitive personal data on the Staff Portal.

What will happen now? What is the University doing about the situation?

One of the things being done is to speed up planned security measures such as the introduction of multi-factor authentication and VPN requirements for additional systems. Multi-factor authentication means that users have to use at least two different verification factors to log in to IT systems. Another potential action is to limit external access to relatively sensitive IT systems at the University. A follow-up group will analyse further action when the incident is closed to reduce the risk of similar intrusions in the future.

Might the leaked information make the University more vulnerable to a future hacker attack?

Work is in progress to assess the total risk involved in the leaked material, but the increased measures already taken have secured the University’s IT environment.

What can I do, as an employee, to protect my own data and other people’s data?

Good IT hygiene goes a long way. Keep your computer and telephone updated, be careful with your passwords and be alert when clicking on links in email messages and on the Internet – do you know where they lead? Read more about how to create a more secure everyday IT life on the Staff Portal.

I’ve heard the attack came from Russia. What does that mean?

Attempts at this type of intrusion occur every day and often from other countries. In this case it was a Russian computer and IP address that lay behind the intrusion, but nothing else about the incident relates specifically to Russia.

Filtration