University of Warsaw Breach Exposes Student and Staff Data

The Polish law enforcement has started investigating the cyber-attack on the University of Warsaw. As a result of the breach the personal information of both staff and students of the university have appeared on the dark web.

In a press release from The Central Bureau for Combating Cybercrime (CBCC), the agency confirms that the hackers stole around 200,000 files from the university’s computer system, and the compromised data went public after midnight on April 16. In addition, the CBCC stated that there were no ransom demands connected with the attack, therefore the motivation is presently unknown.

Hackers Used Compromised Login Credentials to Access Systems

‘Using Compromised Credentials for Accesses’. Hackers who successfully breached a university’s network didn’t exploit any vulnerability in the system, instead they used valid credentials they compromised from another source. Authorities suspect that a user, previously infected by malware, inadvertently supplied their user name/password combination to the hackers.

Credential theft is a method for hackers to access restricted areas of a network without having to penetrate the security measures that guard a system. Where ordinarily a would-be hacker would need to break through security measures in order to gain access, with credential theft, an attacker will simply log on as a legitimate user.

According to the agency’s spokesperson Marcin Zagorski, the attackers used specialized software during their operations. The file layout of the stolen information within the university system (which has no encryption) also indicates that the thieves prioritized stealing information over causing disruption to the normal operation of the university.

Investigators noted that the hackers gained access and copied files from the system between January and February. The intruders’ prolonged presence, which remained undetected for many weeks, gave them numerous opportunities to locate and steal the type of information they desire.

The CISA states that compromised credentials continue to be one of the most common forms of intrusion into a computer or network. Implementing multi-factor authentication would greatly reduce the risk of such breaches.

Around 32,800 Files Contained Sensitive Personal Information

The University of Warsaw has confirmed that the breach affected approximately 32,800 records with private data. The records include information on current and past students, staff and administrative personnel and applicants at the university. There is an ongoing investigation to determine the exact type of exposed data.

It is important to note that although many of the records were obtained through the breach (approx. 200,000), very few provided PII. Even when the number of compromised records is small, if they contain names, addresses, identification numbers, and/or financial account information, they can create significant risks through identity theft or fraud vulnerabilities for the victims. Those involving in PII are great treasures in dark web marketplaces that sell PII to identity thieves and fraudsters.

The agency did not provide any specific details about the types of personal data in the exposed records. In general, records maintained by universities will include:

• Student records
• Staff Payroll, Research data (e.g., student research, research-related to staff research, etc.)
• Medical records from the university’s health services office.

Each record type presents different levels of risk to those impacted, causing concern.

Polish Media reported that there were posts on Dark Web platforms that one can only view with special privacy enabled internet browser software. These anonymous sites allow criminals to buy and sell stolen records from a broad range of locations.

Affected individuals may potentially experience prolonged periods of identity theft monitoring due to exposure of personal identifiable information on certain web forum sites.

Educational institutions continue to be viewed as likely targets for cyber criminals, according to the European Union Agency for Cybersecurity (ENISA). Universities store vast amounts of personal data, they often struggle to maintain robust security due to limited budgets.

Investigation Continues as Officials Work to Identify Attackers

The CBCC continues investigating the breach, the agency has not announced any arrests or named any suspects at this time. Also, cybersecurity officials are working to determine the full scope of the incident and identify those responsible.

Polish law enforcement cannot link this incident to a particular hacking group. The absence of a ransom request procedure differs this breach from conventional ransomware illicit activities. Some bad actors steal information for purposes of espionage, whereas others will sell such data to third parties for profit.

The University of Warsaw has yet to decide whether or not to notify the affected parties individually. The Polish Data Protection Law, which follows the GDPR, requires that organizations report certain data breaches to the relevant authorities within 72 hours.

Polish Data Protection Agency (UODO) can impose substantial fines on entities that do not protect personal data adequately. GDPR violations can result in fines of up to €20 million or 4% of the total amount of global turnover of any company, whichever number is greater.

This incident marks the second major cyberattack on a Polish university in recent months. In January this year, the University of Wrocław confirmed a similar breach that exposed student and staff data. The repeated attacks highlight the cybersecurity challenges facing higher education institutions across Europe.

The threat landscape extends beyond educational institutions. The Notepad++ update system compromise demonstrates that even widely trusted software can be hijacked, underscoring the importance of supply chain security and the need for organizations to verify the integrity of the software they use and distribute.