Dutch university hit with €175,000 fine after 2021 data breach

The Dutch Data Protection Authority (AP) has imposed a 175,000-euro fine on HAN University of Applied Sciences for breaching the General Data Protection Regulation, according to the AP. The probe was initiated following a 2021 hack that the university reported to the AP.

The Authority’s investigation found that HAN University of Applied Sciences had previously failed to implement adequate measures to safeguard the personal data of students, staff, and others. Through a web form, a hacker accessed HAN University’s web and database servers. The individual threatened to make personal data, including addresses, names, passwords, and citizen service numbers, public and unsuccessfully demanded ransom from the university.

Local reports suggest that the leaked data might have been posted online after the university declined the hacker’s ransom demand, although the university noted that certain information, including passwords, was no longer active.

The university notified individuals whose information might have been exposed, sending emails with warnings and advice to stay vigilant against phishing, spam, and identity theft.

The affected individuals included not only current students and employees but also alumni and anyone who had previously used the web form to inquire about the university’s programs or events.

Several (former) students have pursued legal action, seeking compensation for the breach’s impact on their privacy and trust. In a 2023 case, a former student received approximately 300 euros in damages after personal information, including medical details, was made public.

The fine represents a settlement, and HAN University, with campuses in Arnhem and Nijmegen, does not plan to contest it, the AP said.

Following the incident, HAN said it had strengthened its information and privacy security measures, introducing enhanced monitoring, raising staff awareness of cyber threats, and placing greater emphasis on General Data Protection Regulation compliance.

HAN has also introduced positions, including a Chief Privacy Officer and additional privacy and security officers (FG, PO), to enhance the safeguarding of personal data across the institution.