Cyber Incident Victim: SWPS University of Humanities and Social Sciences

On or around April 30, 2020, the Polish Data Protection Authority (UODO) initiated an investigation into a ransomware attack targeting SWPS University of Humanities and Social Sciences. The incident compromised personal data belonging to students and employees of the institution, which served as the data controller for the affected information. SWPS University reported the breach to UODO but had not yet notified impacted individuals at the time of the regulator's public announcement. The ransomware attack disrupted university operations, though specific technical details regarding infection vectors, data encryption methods, or ransom demands were not disclosed in available reports. UODO's investigation focused on assessing the breach's compliance implications under data protection regulations, particularly regarding notification obligations to data subjects.

The breach's confirmed impact included unauthorized access to personal information of academic community members, though the exact number of affected individuals and specific data categories remained unspecified in public disclosures. SWPS University's failure to directly inform data subjects about the violation prompted regulatory scrutiny regarding potential violations of breach notification requirements under the GDPR. UODO's intervention emphasized the legal obligation for controllers to communicate breaches to affected parties without undue delay when the incident poses risks to their rights and freedoms. No information was released regarding containment measures, data recovery efforts, or whether the university engaged with threat actors. The investigation sought to determine the adequacy of the institution's response timeline and procedures following the ransomware compromise. Consequences included potential regulatory sanctions and loss of stakeholder trust due to delayed transparency about the security incident.