Cyber Incident Victim: Universidade Católica Portuguesa
Date:
Nov 2022
Location:
Portugal
Summary
A cyberattack targeted Universidade Católica Portuguesa's Porto campus, disrupting academic services and forcing suspension of digital tools for students and staff. The institution notified data protection authorities but not the national cybersecurity center, as it's a private entity. While no personal data compromise was confirmed, recovery involved gradual restoration of systems and mandatory password changes conducted off-site due to disabled Wi-Fi access. During the outage, the community relied on external file-sharing platforms to maintain operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 5 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 30, 2022, criminal intruders compromised information systems at the Porto campus of Universidade Católica Portuguesa (UCP), forcing the suspension of multiple electronic services for students and faculty. The university confirmed the incident stemmed from a criminal intrusion and immediately notified its academic community of the system disruption. Internal academic operations faced significant disruptions for approximately two weeks, though email services reportedly remained functional throughout the incident. Students and staff resorted to alternative file-transfer platforms such as Dropbox and WeTransfer to maintain workflow continuity. UCP did not formally notify Portugal’s National Cybersecurity Center (CNCS), as it is a private institution not classified among critical national services, but it did submit a breach notification to the National Data Protection Commission (CNPD). University leadership issued internal communications acknowledging the cyberattack’s role in disabling electronic tools—marking the first explicit disclosure of such an incident to the campus community according to sources familiar with the matter.
The university’s incident response included gradual restoration of affected systems, though recovery efforts encountered operational challenges. Password resets for university accounts had to be conducted off-campus due to persistent Wi-Fi network unavailability at Porto facilities. UCP’s press office asserted no evidence indicated compromise of personal data belonging to students, staff, or other data subjects, framing its communications to the community as legally compliant disclosures. While the institution contacted unspecified "competent authorities," technical specifics regarding the attack vector, data exfiltration attempts, or attacker identity remained undisclosed in public statements. Internal documents reviewed by media noted the phased reactivation of services but did not detail forensic findings or security enhancements implemented post-incident. Academic activities resumed fully following the two-week disruption period, with no further operational impacts reported beyond the initial timeframe.