Cyber Incident Victim: Hellenic Open University
Date:
Oct 2024
Location:
Greece
Summary
The Hellenic Open University suffered a ransomware attack that disrupted its online services and compromised approximately 813 GB of sensitive data, including personal identifiers, financial records, medical information, academic documents, and bank account details, which were subsequently leaked on the dark web. The incident caused prolonged website outages affecting all students, while delayed disclosure exacerbated concerns among stakeholders—particularly military-affiliated individuals who feared national security implications. The institution isolated affected systems, collaborated with national cybersecurity and law enforcement agencies, and initiated infrastructure upgrades while advising impacted individuals to enhance their digital security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 25, 2024, the Hellenic Open University (HOU) suffered a cyberattack that disrupted its website and critical online systems, forcing a multi-day outage during a holiday weekend. The attack, later confirmed by police sources to involve unauthorized file tampering, immediately impacted the institution’s 35,000 students, whose studies rely entirely on online platforms. Initial assessments by authorities could not determine whether the attackers issued a ransom demand. HOU Rector Manolis Koutouzis acknowledged persistent technical issues and ongoing recovery efforts but provided no immediate details on the attack’s scope. The disruption extended to academic schedules, administrative functions, and student services, creating widespread operational paralysis. Subsequent investigations revealed the incident involved ransomware that compromised the university’s primary IT infrastructure and backup systems by exploiting specific administrative privileges. Attackers encrypted the virtual machine management system and caused secondary network malfunctions, though the university recovered unaffected backup copies to restore services after security vetting.
The full scale of the breach became apparent months later when HOU confirmed on March 28, 2025, that 813 GB of sensitive data had leaked onto the dark web. Exfiltrated data included names, tax identification numbers, social security details, identity documents, signatures, photographs, contact information, bank accounts, payment records, medical data, academic transcripts, diplomas, contracts, institutional correspondence, and collective council decisions. While HOU downplayed the leak as a "limited-scale" incident relative to its multi-terabyte data holdings, the exposure triggered alarms among students and alumni, particularly military personnel who feared national security risks from potential leaks of sensitive military information. Students had raised concerns since November 2024 about the university’s delayed transparency, demanding clarity on compromised data and protective measures. The attackers’ use of ransomware coincided with dark web threats to release data unless unspecified ransoms were paid, though HOU did not confirm whether it received explicit demands. In response, the university isolated affected systems on October 25, notified Greece’s National Cybersecurity Authority, Electronic Crime Prosecution Directorate, and Data Protection Authority, and formed an incident management team. Technical remediation involved collaboration with external cybersecurity experts, enhanced infrastructure safeguards, and legal actions against unidentified perpetrators. HOU advised impacted individuals to change passwords, monitor financial activity, enable multi-factor authentication, and report phishing attempts while acknowledging potential risks like identity theft, fraud, and social engineering attacks stemming from the breach.