Cyber Incident Victim: Technische Universiteit Eindhoven
Date:
Sep 2022
Location:
Netherlands
Summary
A ransomware attack targeting IT provider ID-Ware compromised personal data of 21,000 TU Eindhoven students and staff, including names, private email addresses, home addresses, birthplaces, student numbers, and pass numbers, which were subsequently published on the dark web. The breach also affected an unspecified number of Hogeschool Utrecht employees, exposing their names, addresses, and staff numbers. Initially believed to impact 1,800 individuals, the scale was later revised upward. The university warned of heightened phishing risks due to the exposed data's potential misuse in fraudulent communications. Investigations continued to determine if additional datasets were compromised, while ID-Ware did not publicly respond to inquiries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2022, a ransomware attack targeting IT service provider ID-Ware compromised sensitive data belonging to thousands of individuals associated with TU Eindhoven and Hogeschool Utrecht. ID-Ware, which managed access systems for multiple organizations including the Dutch parliament and TU Eindhoven’s campus pass system, suffered a breach where criminal hackers exfiltrated and later published data on the dark web. The attackers obtained personal information of 21,000 TU Eindhoven pass holders, including students, staff, and campus-affiliated company employees. Initially, ID-Ware estimated only 1,800 passes were affected, but by October 14, 2022, the university was notified the true scope involved 21,000 individuals. The leaked data included full names, private email addresses, home addresses, birthplaces, student numbers, and pass numbers. Separately, an unspecified number of Hogeschool Utrecht staff records—containing names, addresses, and employee numbers—were also stolen, though student data appeared unaffected as campus cards were stored elsewhere. Both institutions reported the breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
TU Eindhoven notified all affected individuals via email, acknowledging that while the stolen data couldn’t directly grant access to university systems or buildings, it elevated phishing risks. Cybersecurity experts like ESET Nederland’s Dave Maasland warned that the volume and specificity of the data enabled highly convincing phishing campaigns, as criminals could reference authentic details to impersonate trusted entities. Concurrently, Hogeschool Utrecht launched investigations to determine the full extent of their compromised staff records. TU Eindhoven cautioned that additional datasets might still surface on the dark web, citing an ongoing monitoring effort. The breach’s collateral damage included unrelated High Tech Campus employee photos appearing on dark web forums, though no personal data accompanied those files. ID-Ware did not publicly address the incident or respond to media inquiries, leaving critical questions about their security measures unresolved.