Unknown persons have had access this weekend to UvA Q, the system in which the UvA processes student feedback. The university reports this on its intranet. The hackers downloaded a database that included students’ names, email addresses and student numbers.
According to the university, the database contains names, UvAnetIDs [login names for UvA systems, ed.] and email addresses of both faculty staff and students, student numbers and information about whether or not students passed a course. The university emphasizes that there were no student passwords in the database. However, passwords of 17 UvA Q users working with the application were reportedly captured. These are now being changed, the university states.
Following the incident, UvA Q was immediately taken offline by the university’s Computer Emergency Response Team (CERT). UvA Q is normally used to collect feedback on education. Students fill out surveys about the education and about the teachers, which departments use to improve the teaching.
The university has reported the matter to the police and filed a report with the Authority for the Protection of Personal Data. The supplier of the web application is working on an update to close the leak. It is not clear how long this will take and whether the education from the first term can be evaluated via UvA Q. The university also warns that phishing emails may be sent in the coming days and weeks.
This spring, the UvA successfully repelled a cyber attack (link in Dutch). That cyber attack began after a student installed malware on his laptop.