A detailed announcement of the Open University of Greece, referred to the cyberattack which it received on 25/10/2024- Authorities are investigating the incident
The Open University of Greece has received cyberattack on 25/10/2024, with the investigation of the incident being ongoing.
On 25/10/2024 suspicious activity was identified in the University Information Systems.
Was involved in unauthorized access.
The attack was carried out with Ransomware (Ransomware Attack), in which malware gained access, with specific rights, to the main information infrastructure and backup infrastructure and caused encryption of the Virtual Machine Management System and dysfunctions in the database.
The encryption did not affect all of the backup copies, which was recovered by the backup infrastructure and used, after thorough security inspection, to recover the systems and services of the University.
The extent of the leak
This attack resulted in the limited leak of personal data. The size of the leaked data amounts to 813GB, according to the data so far.
However, as the university argues, this size represents an extremely small percentage, compared to the total volume of data maintained by the institution (the size of many terabytes), indicating that the leak is limited scale.
This size can be compared, for example, to the local disk capacity of a typical computer.
The leaked files contained, according to the so far, personal data in various file formats (mainly DOC, PDF, Excel). In addition, the leaked file is on the dark web, where access requires specialized, technical knowledge.
In addition, according to the analyzes so far, this particular file that leaked is not possible, at this stage, to be obtained. What can be made available for download is much smaller than the original set of data undercut (about 65 GB recovered).
Categories of personal data that may have leaked
The Foundation informs the possible categories of data that may have been affected.
The report includes data/categories of data that could theoretically be exposed.
Name, Patron Name / Metrop, property, relatives, nationality, gender, date of birth, VAT, AMKA, AMA, ADT, Signature (Physics), Photos, Username, Contact Data (Postal Address, Phone Number, Degrees, Certificates of Studies), Health Data, Financial Data (IBAN, Pricing Details, Expenditure Payment), Professional & Research Investigations Data (Curriculum Vitae, Research / Professional / Teaching / Writing), Decision Data, Collective Institutions.
However, based on the so far available indications and ongoing research, the actual leak seems to be limited to a clearly lower data range.
Actions taken to address the incident
EAP He applied all the necessary measures to ensure the minimum, strong leak while at the same time working directly with the National Cyber ​​Security Authority, the Directorate of Cybercrime and the Personal Data Protection Authority.
More specifically:
From the first moment of the incident (25/10/2024) both the National Cyber ​​Security Authority and the Directorate of Cybercrime was informed. The update is continuous.
The incident at the Protection Authority was notified in time. The original statement is updated according to the data.
Created an incident management group
The Foundation’s Technical Services, in collaboration with a specialized company, have taken, directly, in all actions to address the incident and to limit its effects. Specifically, on the same day (25/10/2024), the event wasolated (interruption of the affected systems).
Update data subjects and provide indicative instructions for protecting their personal data.
Enhancing the awareness of academic and administrative staff on the protection of personal data and the risks of cyberattacks.
Preparation of notice to strengthen the technical service with additional specialized staff.
Messagements were filed against an unknown and all responsible for the malicious attack.
They have already implemented targeted measures to enhance the security of our information systems while an overall upgrade of the infrastructure is ongoing, which includes the strengthening of existing protection mechanisms and the addition of additional security valves.
For security reasons, the accurate, technical actions already taken or scheduled to be carried out cannot be made public.
Possible consequences of leakage for data subjects
A data leak may have possible consequences for data subjects, such as:
Targeted phishing attacks.
Attempts to fraud, by email or phone.
Possible, unauthorized use of personal information that can lead to fraud and malicious use of this personal information by clever or criminals.
Abuse of data to create fake accounts or forgery.
Leakage of information that can lead to social engineering.
Malicious use of information, with the aim of fraud (mainly economic).
Target for unwanted advertising or spam (spam).
Violation of privacy through a possible leak of personal data to unauthorized individuals or bodies.
Identity theft and the use of personal information for fraudulent activities.
It is noted that the possible number of subjects involved seems to be, noticeable, limited and the categories of data that may have leaked are significantly less than mentioned. However, we recommend that all interested parties take appropriate protection measures, ensuring their rights as data subjects. In this way, they not only comply with protection requirements but also actively enhance their privacy.
Source: Skai
I have worked as a journalist for over 10 years, and my work has been featured on many different news websites. I am also an author, and my work has been published in several books. I specialize in opinion writing, and I often write about current events and controversial topics. I am a very well-rounded writer, and I have a lot of experience in different areas of journalism. I am a very hard worker, and I am always willing to put in the extra effort to get the job done.
