More UvA staff affected by Odido hack than previously thought
In the large-scale cyberattack on telecom provider Odido, the data of more UvA-employees were stolen than previously assumed. While the university initially believed that a limited group of forty staff members had been affected, the leak now appears likely to involve the data of hundreds of employees.
The scale of the hack at telecom provider Odido seems to be larger for the UvA than initially thought. When it became known last month that the hacker group Shinyhunters had obtained the data of more than 6 million customers of the phone company, the university informed staff via its employee portal that the impact on UvA employees was limited. The data of staff members with a business phone subscription had reportedly not been affected. The UvA wrote in a statement: “It does affect a limited group of approximately forty contacts who have access to Odido’s business portal.”
For this article, Folia randomly checked 1,500 different @uva.nl email addresses using the publicly accessible websites haveibeenpwned.com and datagelekt.nl. Of these 1,500 accounts, 82 appeared in the leaked Odido database.
Folia has not had access to, nor insight into, the other personal data of these employees.
However, it appears that the data of more UvA staff members and administrators may have been exposed due to the hack. Using publicly accessible tools, Folia checked a sample of 1,500 @uva.nl addresses in the leaked database, which has since been fully released by the hackers. Of these, 82 addresses – more than five percent of the sample – were found in the leak. If that percentage is representative of the more than 6,000 UvA employees, the data of at least several hundred staff members could be present in the database. These are potentially employees with a private Odido subscription linked to their work email address.
Risk of phishing
The presence of @uva.nl email addresses in the leak is not, in itself, problematic; these emails can already be publicly found on the university’s website. More concerning is the combination with other data. In the Odido hack, not only email addresses but also phone numbers, home addresses, dates of birth, bank account numbers, and sometimes even identity documents were stolen. It is unclear which specific data was leaked for each UvA employee.
Cybercriminals frequently use such combined data lists for phishing. With accurate personal information, they can send convincing messages in the name of banks or government agencies. Combined with a work email address, there is also a risk of spear phishing: highly personalized attacks that mislead employees by, for example, impersonating the UvA. The UvA previously warned employees with a private Odido account to remain extra alert for phishing emails.
Informing employees
A UvA spokesperson said the university depends on the information shared by Odido for official figures. The telecom provider is still investigating the situation and has so far not reported higher numbers to the UvA; a formal update is expected later this week. Due to indications that the scale of the leak may be larger than previously thought, the ICT department posted an update on the staff website on Friday warning employees to remain extra alert to suspicious emails, text messages, or phone calls.
You can also check your own email address for inclusion in the data leak via haveibeenpwned.com and datagelekt.nl. The Dutch police provide a similar checking tool.
