The mission: the personal data of 17 000 students is under a threat – crisis management team takes action

The mission: the personal data of 17 000 students is under a threat – crisis management team takes action

The situation is dreadful, to say the least. A data leakage has been detected in a database of the distinguished, fictive University of Guilder, containing health-related information. The situation may have horrific effects on both student privacy and the university's reputation.

This university of 15,000 students is well-known for its high-quality teaching of economic science, business, medicine, law, liberal arts and linguistics. One of the research groups keeps a database of students for its research on epidemics. The user interface has been programmed by one of the doctoral candidates in the research group.

It has come to light that intruders may have been able to access the vulnerable database through the universities' shared information network. The university's crisis management team has been assembled, and is trying to figure out what has happened.

The team members include a Vice Dean responsible for administration, an Information Security Manager, Data Protection Officer, Communications Officer and Faculty Director. The crisis communication exercise can begin.

Find out the facts

Leader for one of the teams in the exercise, Cyber Security Specialist Timo Salin from Aalto University, introduces the assignment to the team. The team has to first consider what kinds of issues they need to take care of during the crisis, such as communication. Next,  the team has to decide what they need in order to complete the task with adequately, such as documentation, or telephone lines.  

After this, they need to address the actual problem and find out the facts: What has happened and why, what are the possible consequences, who will be affected and how? What are the implications for the university's reputation? Is the university a victim, or perhaps even responsible for the situation to arise?

At the beginning, limit the analysis of the causes to the most important factors, the training provider suggests.

The aim is to practice how to manage and communicate in a situation where only incomplete information is available. The team has two lifelines at their disposal. In technical matters, the group is guided by Head of Security at CSC Urpo Kaila, and the role of other possible stakeholders is played by Product Manager for Privacy & Security Charlie van Genuchten from Surfnet, who has organised the entire exercise. However, the team has access to more information only if it is able to ask the adequate questions.

Limiting the damage

Deep in thought, the team members roll up their sleeves, and begin to determine whether the information they have been given is valid.

– I would start by contacting system administration to find out whether the computer containing the  leaked data has been disconnected from the network, and whether  logs have been contained and copied to another location, the team reasons and sets off to solve the situation.

The team investigates if there is a description of where the data is stored, what kind of information is involved, and where it has leaked. It is considered of primary importance to inform the Data Protection Officer on the threatening situation, so that he or she can make an announcement of the incident within the deadline.

After confirming that the server in questions has been identified and external network access has been blocked, the team begins to prepare an announcement and agrees on the division of labour in more detail.

The team members who work as data protection and security specialists in their daily life soon pay attention to matters that they would really carry out in their work. The fast pace of the crisis exercise, however, quickly makes the team return their attention to communication.

Ten minutes after the has exercise started, the group receives a phone call from the National Cyber Security Centre.

– We cannot be sure how long the database has been vulnerable for, and how much data has leaked out.

The crisis team members say they have noticed the vulnerability, blocked access to the system, and are now investigating the incident.

Come out, truth!

The team starts to look for further information and is prepared to inform any persons under threat. Some want to hold back the communication until they know in more detail how the data leakage will affect these persons, and what it will mean to them.

The team agrees in more detail on the mutual division of tasks and how to  manage  of the situation. The leader in the crisis room agrees with the Communications Officer and Deputy Dean on how to organise communication with the stakeholders. While waiting for more detailed reports from information security, the Data Protection Officer prepares the the communication  bulletins with the Communications Officer.

Five minutes later, the game gets tougher as the team receives a message from the Deputy Dean  stating that the database has included the following: persons' names, e-mail addresses, student IDs, age, gender, and health reckords of the person.   Data has been accumulated from 2008 onwards, which means that the personal information of nearly 17,000 people is at risk.

The Data Protection Officer immediately informs the authorities and the Data Protection Authority on the data protection violation.

Blackmail has started

Then the telephone rings again.

The IT help desk  indicates that the students have received queries from strange email addresses requiring ransom for personal data protection. They want a quick response: what is this about? Is it a scam?

The team instructs the the help desk  to record all the cases and forward the messages to the Information Security Manager. The message recipients are told not to respond to the messages. The team waits for additional information.

The team prepares the communications officer and deputy dean  to answer questions, as they assume that the next phone call will be from a reporter. It is agreed that, if the call comes, it is diverted to the Deputy Dean.

As the team learns that the information has leaked to the Pastebin website, they are certain that the media will be interested.

The team drafts an announcement describing the facts so far.

In addition, they prepare to inform the data subjects on what data has leaked, and collect the data subjects' contact information. The data subjects are given all the relevant information: the kind of data that has leaked and that it has been used for the purposes of blackmail. The team consistently advises the data subjects not to respond to the blackmail letters.

Decisions are put to test

The dreaded phone call echoes in the room: A reporter calls the Communications Officer and demands answers.

– How can a data leakage be possible? Was this caused by an employee? Have you contacted the victims? How will the data subjects be compensated for this? Why does the university have such a database in the first place?

"A huge data breach at the University of Guilder: 17,000 students' personal information at risk."

As agreed, the call is diverted to the Deputy Dean.

The Vice President calmly explains that the incident was caused by a security breach for technical reasons: in other words, it was a criminal offence. Someone has searched for personal data, and the information security authorities have been notified accordingly. The situation is as much under control as it can be at this stage.

The involved parties have been informed, and further measures are under consideration. The data was related to the university's normal operations, and all involved parties had approved the inclusion of their information in the database.

After the reporter's call, the team reports the offence to the police.

Thereafter, tabloid headlines are screaming: A huge data breach at the University of Guilder: 17,000 students' personal information at risk.

Resolution of the incident

The team decides that, at this point at the latest, customer service shall be informed on the fact that a press release has been sent, as well as on other related measures. It should be emphasised that the situation is under control and the damaged system has been disabled. Other staff should also be informed accordingly.

In the future, the team would emphasise more strongly than before that data collected for research should be anonymised, that is, the involved persons should be unidentifiable.

At the end of the exercise, when the Ministry of Education and Culture demand answers, the university has a response ready. The root cause of the data leakage was the fact that the system was technically vulnerable. In the future, the university must take better care of the systems in which personal data is stored, and make sure that information which is not needed is not stored.

In hindsight:

  • Investigate, where else the same vulnerability may occur
  • Improve processes for monitoring research in the future, to make sure this does not happen again
  • It would be good to have communication templates or pre-filled forms ready for the Data Protection Officer to use when communicating with the Data Protection Ombudsman or research groups
  • You should dare to say that more information will be provided later when you have more details
  • Communications should be centralised and people should have clear roles
  • Make the responsibilities of all participants in the situation room clear at the very beginning, preferably already before the crisis happens
  • Prepare for situations where someone responsible is absent or unable to attend
  • Additional training for all

The crisis management exercise was held at Seinäjoki University of Applied Sciences. The event was organized by SEAMK's Jarmo Jaskari and Asmo Myllyaho as well as Urpo Kaila from CSC. For the article one of teams participating the exercise was followed. The team consisted of Jukka Tuomela (University of Tampere), Hannu Hirvonen (University of Vaasa), Maria Rehbinder (Aalto University), Mikael Albrecht (Hanken), Dennis Holtlund (Åbo Akademi), Timo Salin (Aalto University), Vesa Gynther (Haaga-Helia), Göran Jansson (Novia) and  Jouni Kangas (University of Vaasa).

Read more: Practicing prepares for crisis situations

Published originally 18.04.2019

More about this topic » Go to insights and news »

Maria Virkkula