Notification of security breach
A file containing personal information about censors and a number of employees has been accessible on one of ITU's internal network drives. The security breach has been reported to the Danish Data Protection Agency, and the persons affected have been notified.
ITU has contacted 400 people whose information was, by mistake, accessible through an internal network drive. The error was discovered by an employee in ITU's IT department in connection with a routine check of the university's network drives on November 26.
Here, the IT department found a file containing names, job descriptions and CPR numbers of 400 people who have been censors, external lecturers, hourly employees or research assistants at ITU. The file was used for the purpose of selecting censors and paying salaries for the work performed.
By mistake, and against the ITU's guidelines for handling sensitive personal data, an administrative employee placed the file on an internal network drive intended for temporary storage and sharing of files among ITU staff and students in 2015. The file has been potentially accessible to anyone with an ITU username and password in the period 2015-2020.
The information has never been accessible via the Internet or to persons not affiliated with ITU.
“Data security has the highest priority at the IT University, and we are taking this security breach extremely seriously. Needless to say, it is completely unacceptable that personal information has been accessible to unauthorized users. I would like to apologize to everyone who is affected by this security breach, and we will do our utmost to ensure that something similar does not happen again,” says Martin Tvede Zachariasen, Vice Chancellor of ITU.
As soon as the security breach was discovered, the file and all other contents of the network drive in question were immediately made inaccessible, and the drive is now disabled. A subsequent review of the drive has not revealed any other breaches of personal data security.
Reported to the Danish Data Protection Agency ITU reported the security breach to the Danish Data Protection Agency on November 28. The Danish Data Protection Agency requested an in-depth report, which was sent to the agency on December 15.
An internal investigation has shown that it is not possible to get an overview of how many times the file has been opened.
ITU was already in the process of phasing out all network drives and moving to a solution that minimizes the risk of such security breaches. In addition, it is an established focus area to keep employees informed and updated about the rules for handling personal data.
“We have clear guidelines on how personal data should be handled, and it is of course important that all employees know and comply with these. We make a great effort to train employees in secure data management and regularly run internal communication campaigns on data security. Of course, we will now and continuously assess whether our efforts are sufficient,” says Martin Tvede Zachariasen.
The affected persons have been notified of the security breach through e-Boks. These individuals are encouraged to pay extra attention to suspicious inquiries, account movements or bills. If identity theft is suspected, the police should be notified.
Questions regarding the security breach should be directed to ITU's DPO at firstname.lastname@example.org / 93511380.
Vibeke Arildsen, Press Officer, phone 2555 0447, email email@example.com