Cyber Incident Victim: Erasmus University
Date:
Nov 2016
Location:
Netherlands
Summary
A data breach at Erasmus University compromised approximately 270,000 webforms on a server, exposing sensitive student information. Medical details—including health conditions, dyslexia, and allergies—were present in nearly 5,000 forms, while financial data such as bank accounts and credit card information was also accessed without PINs or security codes. The incident affected at least 17,000 students, with nationality data exposed for nearly 10,000 individuals, heightening risks of future identity theft due to leaked financial records and passport numbers. No passwords were compromised, though the attackers' methods and motives remain unidentified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2016, Erasmus University suffered a data breach involving unauthorized access to a web server hosting approximately 270,000 webforms. Initial assessments indicated limited exposure of student names, addresses, and login credentials. Subsequent analysis revealed significantly broader compromise, confirming theft of medical and financial records. The breach exposed nearly 5,000 forms containing sensitive health information, including student medical histories, dyslexia diagnoses, allergy profiles, and behavioral condition disclosures. Financial data exposure affected an undisclosed number of students through forms containing bank account details and credit card information, though no PINs or card security codes were stored on the compromised system. University officials confirmed 17,000 students as directly impacted, with potential for higher final totals pending investigation.
Attackers extracted nationality data for nearly 10,000 individuals alongside passport numbers, creating substantial identity theft risks according to preliminary assessments. The breach methodology remained unconfirmed, with no public explanation for how attackers bypassed server security or why password systems appeared unaffected. No containment measures or forensic findings were disclosed in available reporting. Criminal exploitation concerns centered on potential deep web sales of medical-financial data composites. The incident highlighted vulnerabilities in third-party data hosting environments, though specific service providers or system weaknesses were not identified in public disclosures.