[BreachExchange] Erasmus University Data Breach Exposes Students’ Medical and Financial Information

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 1 19:21:21 EST 2016


http://themerkle.com/erasmus-university-data-breach-
exposes-students-medical-and-financial-information/

Not too long ago, the Erasmus University was a victim of a data breach.
Although initial results indicated not too much sensitive information was
obtained by hackers in the process, it looks as if those findings need to
be revised. New data reveals that medical and financial details belonging
to an undisclosed number of students were obtained during the breach.

Every time a company or institution gets hacked, the question immediately
becomes whether the financial information has been leaked. In most cases,
the answer to that question is affirmative. When Erasmus University was
hacked a couple of weeks ago, it appeared that only student names,
addresses, and logins were obtained. But that is only part of the real
story.

A total of 270,000 webforms residing on one particular web server were
breached during the attack. Close to 5,000 forms contain student medical
information, indicating their health and whether or not they suffer from
specific ailments. Moreover, it also provides insights into diseases such
as dyslexia, allergies, or other conditions relevant to their behavior.

To make matters worse, an even larger undisclosed number of students also
had financial information attached to their web forms. This includes bank
account details and credit card information. However, no PIN codes or
security codes are stored on the platform, which is a minor consolidation
for now.

A total of 17,000 students were affected by the data breach, although it is
possible that the final tally will be much higher. Nearly 10,000
individuals had their nationality exposed, which should not necessarily be
a grave concern. Preliminary results indicate that nearly the same number
of students may suffer from identity theft in the future, due to their
financial information or passport numbers being obtained by criminals.

What is rather peculiar is how no passwords were part of the data breach.
How that is even possible, remains everybody’s guess for the time being.
More worryingly, no one knows how hackers managed to breach the server
security, or what they are planning to do with the obtained information. A
sale of information on the deep web is not unlikely at this stage.

Data breaches are becoming far too common these days. Not only are hackers
targeting bigger companies, but they are also attemptiing to obtain
medical, personal, and financial information from anyone and everyone in
the world. Third party services hosting this data are usually the most
vulnerable link in the chain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161201/644d9700/attachment.html>


More information about the BreachExchange mailing list