Cyber Incident Victim: Pôle Universitaire Léonard de Vinci
Date:
Sep 2022
Location:
France
Summary
A cyberattack targeted Pôle Universitaire Léonard de Vinci, compromising an application server containing personal data including civil status, contact information, academic records, official documents, and banking details such as IBANs. The attackers publicly shared evidence of their intrusion via Twitter, framing it as a security test rather than deploying ransomware or demanding payment. The institution shut down affected servers, notified impacted students and staff, and reported the breach to national cybersecurity authorities and law enforcement. While no malicious use of the stolen data was confirmed, the university advised treating all exposed information as potentially circulating among cybercriminals. An investigation was initiated for unauthorized system access and extortion, with potential impact extending to over 20,000 individuals associated with the institution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 24, 2022, the Pôle Universitaire Léonard de Vinci in Courbevoie, France, suffered a cyberattack targeting its application servers. The intrusion occurred during the evening, with attackers gaining access to sensitive personal data including students' and staff members' civil status details, contact information, academic records, administrative documents, and bank account IBANs (though not payment card data). Between September 25-26, the institution notified affected individuals via email about the breach. The attackers publicly shared evidence of their intrusion on Twitter shortly after the compromise, attempting to initiate negotiations with the university while claiming their actions constituted a penetration test to expose security vulnerabilities. Unlike typical ransomware operations, they did not encrypt systems or demand ransom payments but sought compensation for allegedly revealing security flaws. The university promptly shut down the compromised servers following the attack.
The incident potentially impacted over 20,000 individuals, including current students (8,000 enrolled during 2021-2022), alumni (12,000), permanent staff (300), and external partners. While no malicious use of stolen data had been confirmed at the time of reporting, the institution advised all affected parties to treat their information as exfiltrated and likely circulating in cybercriminal networks. The university initiated multiple response measures, including contacting France's National Cybersecurity Agency (ANSSI) and the Central Office for Combating Crime Linked to Information Technology (OCLTIC). They formally reported the breach to the CNIL data protection authority on September 26 and filed a criminal complaint the following day. Paris prosecutors opened an investigation on September 25 for "unauthorized access to automated data processing systems and extortion," assigning the case to the National Police's Cybercrime Sub-Directorate (SDLC). The institution maintained operations despite the attack, though the full technical scope and duration of unauthorized access remained under investigation.