Cyber Incident Victim: CVO Antwerpen

On the night of April 18 to April 19, 2023, GO! CVO Antwerpen, a central adult education center, fell victim to a cyberattack. The organization promptly reported the incident to the police and to the Vlaamse Toezichtcommissie voor de bescherming van persoonsgegevens, the Flemish supervisory commission for the protection of personal data. The attack specifically impacted the administrative software package used by the institution. Initial analysis confirmed that a large package of data was downloaded by the attackers during the breach. For a significant period following the incident, the exact nature of the data exfiltrated was not known to the school's administration, creating a state of uncertainty regarding the full scope of the compromise.

This uncertainty persisted until June 22, 2023, when the police informed CVO Antwerpen that certain stolen data had been published by the hackers on a dangerous website on the Darkweb. The Darkweb was described as a part of the internet not searchable by ordinary search engines like Google and is known as a place where illegal information is often published. The confirmation of data publication escalated the severity of the incident from a confidentiality breach to a public data exposure. The school was able to confirm with certainty that financial transactions from the period 2020 to 2023 were among the data published. This indicated that the attackers had successfully exfiltrated and then released a subset of the organization's sensitive financial records.

The total set of data that was downloaded from the administrative systems was extensive. While the complete contents of the exfiltrated data package were not fully known, the school identified that the compromised information could include a wide array of personal details. The potentially involved data categories included identification details, contact information, family composition, educational history, study certificates, professional career history, data concerning workplace accidents, expenses for which reimbursement was requested, diploma details, national registry number, IT resources provided by the school, and bank account numbers. The institution explicitly stated it did not know with certainty which specific data pertaining to each individual would be published on the Darkweb but could not rule out the possibility following the hack.

The primary impacts of the incident were the violation of personal data privacy and the elevated risk of fraud for the affected individuals. The school's leadership issued a formal apology to those whose data was compromised, acknowledging the gravity of the situation. The public exposure of such detailed personal and financial information created significant risks for the data subjects. Criminals could potentially misuse this information to impersonate a family member or engage in other forms of fraud. The specific mention of bank account numbers and national registry numbers heightened the potential for financial theft and identity fraud.

In response to the police notification and the confirmation of data publication, CVO Antwerpen initiated a direct communication campaign to inform the affected individuals. This communication was conducted after consultation with experts in the field. The school notified individuals that their data had appeared in the hacked applications and provided them with a list of the types of data that may have been involved. The response included a set of safety tips aimed at helping individuals protect themselves in the wake of the breach. These tips advised people to be very alert for phishing attempts via email, telephone, WhatsApp, or other media and to be vigilant against identity fraud.

The organization also provided specific guidance regarding communications purportedly from itself, instructing individuals to carefully check all details such as the sender's email address and the bank account number provided in any correspondence, explicitly stating the school's legitimate account was BE36 0682 3286 3681. Furthermore, individuals were advised to change their passwords, with a specific warning about the dangers of password reuse across different online forums and services. The school directed people to an external resource for additional cybersecurity advice, providing a link to "Home – Snel Geleerd, Slim Online" on the cybercrimetips.nl website. The response established a dedicated channel for questions, instructing individuals to contact [email protected] for any inquiries related to the incident. The final and strongly emphasized piece of advice was for anyone noticing suspicious activity to notify the police immediately. The incident response was managed under the direction of Eddy Hancké, the director of GO! CVO Antwerpen, who signed the official communication. The overarching goal of the response was to provide transparency, inform affected parties of the potential risks, and offer practical steps to enhance their personal security following the data exposure.