Cyberattack at Hellenic Open University (HOU): 813GB of personal data leaked

The Hellenic Open University clarifies that this size represents an extremely small percentage, compared to the total volume of data that they maintain, and emphasizes that the investigation continues.

The HOU in Greece, has provided clarifications regarding the cyberattack it suffered last October, noting that the investigation on this incident is still ongoing. The cyberattack, which took place on October 25th, resulted in the HOU’s electronic systems being put out of operation.

A statement issued by the Data Protection Officer of the Hellenic Open University, claims that on October 25th:

“[…] suspicious activity in our information systems, which concerned unauthorized access, was detected.”

It is noted that during the attack, malicious software gained access to the main IT infrastructure and backup systems, causing encryption of the virtual machine management system, as well as malfunctions in secondary systems and the data network.

“The encryption did not affect the entire backup set, which was recovered from the backup infrastructure, and was used (after a thorough security checks) to recover the University’s systems and services.”

The scope of the data leak

The attack resulted in a limited leak of personal data. The volume of this leakage is estimated at 813GB, based on current findings. However, it is clarified that this volume represents a very small percentage compared to the total volume of data maintained by the institution (several TB), indicating that the data leak was limited in scale.

This volume can be roughly compared to the capacity of a typical computer’s local disk, according to the HOU. The leaked files reportedly included personal data in various file formats (primarily DOC, PDF and EXCEL). Additionally, the leaked file is currently located on the “dark web,” which requires specialized technical knowledge to access.

According to current analysis, the leaked file cannot be fully downloaded at this stage. What can potentially be retrieved, is much smaller than the initial total of stolen data (approximately 65GB have been recovered).

Potential Leaked Data

Regarding the types of data that may have been compromised, the HOU lists information categories that could theoretically have been exposed:

• Full name, father’s/mother’s name, status, relatives’ information, nationality, gender and date of birth
• Tax identification number (TIN), social security number (known as AMKA in Greek), student/employee ID, identity card number, physical signature, photographs and username
• Contact information (postal address, phone number (landline and mobile) and e-mail address (personal and organization)
• Academic and educational data and qualifications (grades and performance, degrees and study certificates)
• Health and financial data (IBAN, invoicing details, expense payment details)
• Professional and research activity data (CV, research/professional/teaching/publishing work)
• Data on decisions of collective bodies and committee decisions
• Contractual data, contractor and bid information

However, based on available evidence and the ongoing investigation, the actual data leak appears to involve a significantly smaller range of data.

Measures Taken to Address the Incident

The HOU implemented all necessary measures to ensure the minimal possible data leakage, while also cooperating directly with the National Cybersecurity Authority, the Cyber Crime Division, and the Hellenic Data Protection Authority.

Specifically:

• From the moment the incident occurred (25/10/2024), both the National Cybersecurity Authority and the Cyber Crime Division were notified. Updates remain ongoing.
• The incident was promptly reported to the Hellenic Data Protection Authority (HDPA). The initial report is being updated accordingly.
• An Incident Management Team was formed.
• The university’s Technical Services, in collaboration with a specialized company, immediately took all necessary actions to address the incident and limit its consequences. Specifically, the same day (25/10/2024), the affected systems were isolated (system shutdown).
• Data subjects were informed and provided with suggested guidelines on how to protect their personal data.
• Awareness among academic and administrative staff regarding personal data protection and cyberattack risks was increased.
• A call for hiring additional specialized technical staff is being prepared to reinforce the Technical Services.
• A legal complaint was filed against unknown individuals and any responsible parties for the malware.
• Targeted security enhancement measures have already been implemented for the IT systems, and a broader infrastructure upgrade is underway, which includes strengthening existing security mechanisms and introducing additional safeguards.

For security reasons, the exact technical actions already taken or planned cannot be disclosed.

Possible Consequences of the Leak

A data leak may have potential consequences for affected individuals, such as:

• Targeted phishing attacks
• Fraud attempts via e-mail or phone
• Unauthorized use of personal information leading to fraud or malicious activity by criminals
• Misuse of data to create fake accounts or forge documents
• Leakage of information that can lead to social engineering attacks
• Malicious use of information for fraudulent purposes (mainly financial)
• Targeting with unsolicited advertisements or spam calls
• Privacy violations through unauthorized access to personal data
• Identity theft and use of personal data for fraudulent activities

It is noted that the likely number of affected individuals appears to be significantly limited, and the categories of data potentially leaked, are far fewer than those listed above. Nonetheless, the HOU recommends that all concerned individuals take appropriate protective measures.

The HOU concludes to the following statement:

“The HOU is fully cooperating with the relevant supervisory authorities, providing all necessary information and assistance as part of the investigation into the incident, in full compliance with the applicable legal and regulatory framework. Given that the digital environment is dynamic and constantly evolving – with new challenges and technological changes directly affecting cybersecurity requirements – the HOU is committed to maintaining a continuously updated and adaptable protection framework, aiming at ensuring the highest possible level of integrity, availability, and confidentiality of user data.”