Cyber Incident Victim: Universitat Autònoma de Barcelona
Date:
Oct 2021
Location:
Spain
Summary
A ransomware attack targeted the Autonomous University of Barcelona, prompting the shutdown of internal networks and campus internet, which disrupted remote learning and online-dependent classes. Servers remained offline for over a month with full recovery expected to take several additional months, though the virtual campus might resume in the second semester. Compromised files included publicly accessible data such as salaries, teaching materials, and exchange agreements, while confidential information like bank details and academic records were reportedly stored on unaffected systems. The institution maintained three backups but opted for a gradual server reconstruction to enhance security and repeatedly refused ransom demands, restoring all user passwords after more than a week without evidence of data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 11, 2021, the Autonomous University of Barcelona (UAB) suffered a major ransomware attack originating from the dark web, prompting immediate emergency measures. The university disconnected its internal networks and shut down all campus internet access to contain the breach, disrupting academic operations across the institution. Remote learning sessions were canceled outright, along with any in-person classes requiring online resources or digital platforms. The attack compromised hundreds of thousands of files containing publicly accessible information such as international exchange agreements, salary records, and teaching materials. While UAB maintained three backup copies of affected systems, administrators opted for a deliberate, phased restoration process to mitigate reinfection risks rather than deploying backups immediately. Rector Javier Lafuente confirmed the university refused all ransom demands from the attackers, a stance repeatedly reaffirmed throughout the response.
One month post-attack, core systems remained offline with no definitive timeline for full recovery, though Lafuente suggested the virtual campus might resume in the second academic semester. The university restored all student and staff passwords approximately one week prior to Lafuente’s November press briefing, marking the first significant operational restoration. Lafuente asserted no evidence existed of data leaks from the compromised servers and expressed no concern regarding confidential information like bank details or academic transcripts, stating these resided on separate, unaffected infrastructure. Academic and administrative functions continued under adapted workflows, with the rector emphasizing caution in recovery efforts to avoid further vulnerabilities. Restoration activities focused on rebuilding systems incrementally rather than reactivating compromised backups, prolonging the disruption but prioritizing long-term security. The incident caused sustained operational limitations across Catalonia’s prominent higher education institution, with full normalization projected to require additional months.