Cyber Incident Victim: Leiden University
Date:
Dec 2022
Location:
Netherlands
Summary
A ransomware attack targeted the payroll processing system of JobMotion, impacting individuals employed via the organization for a Dutch university. The compromised system contained extensive personal data, including names, contact details, BSN numbers, financial information, bank account numbers, employment contracts, salary records, and medical leave documentation. The incident was reported to the Dutch Data Protection Authority, and the system's vendor immediately engaged a specialized cybersecurity firm for investigation and recovery. While payroll disbursements proceeded without disruption, the attack caused operational delays in processing new employment contracts. The investigation was nearing completion but had not yet confirmed whether data was exfiltrated, prompting warnings about potential identity theft risks. Service restoration efforts were ongoing during the final stages of the inquiry.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 8, 2022, JobMotion B.V., a payroll processing provider for Universiteit Leiden, was informed by its supplier UBplus that its salary administration system had potentially been targeted in a ransomware attack. The compromised system contained extensive personal data of all individuals working for the university through JobMotion, including general contact information, sensitive details such as BSN (Dutch citizen service numbers), financial records, bank account numbers, salary agreements, tax documents, employment contracts, medical leave data, and login credentials. JobMotion immediately lost access to its automation platform, preventing initial direct communication with affected personnel. The company promptly reported the incident as a data breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). UBplus engaged a specialized cybercrime firm to conduct forensic investigations and initiate recovery efforts, which restored system functionality after several days of downtime.
The attack disrupted JobMotion’s operations for multiple days, halting processing of new labor contracts and university assignment registrations, resulting in a backlog of administrative work. Despite this disruption, salary payments for student workers and other employees were processed correctly and on schedule during the incident week, with subsequent weekly and monthly payroll runs also proceeding unaffected. JobMotion communicated updates via Universiteit Leiden’s website and its own platform until system access was restored, after which personalized emails were sent to impacted individuals on December 9. The investigation entered its final phase by December 8, with a conclusive report expected the following week. Preliminary findings indicated cautious optimism about data security, though JobMotion emphasized it could not yet rule out third-party access to sensitive information. Affected parties were advised to monitor for identity fraud, with guidance provided to official government resources. Universiteit Leiden established a dedicated helpline for inquiries while JobMotion worked to resolve contractual processing delays caused by the system outage.