In the middle of the weekend, almost two weeks ago, cybersecurity experts from Eindhoven University of Technology detected intruders on their network. To ensure that no data could be stolen, the IT team shut down the entire network.
De Volkskrant now reports, based on anonymous sources, that the intruders gained access using stolen ‘keys’. The hackers had the passwords of a student and an employee at the university.
It is common for passwords to be leaked or stolen through phishing emails. To prevent direct logins using these credentials, the vast majority of educational institutions have two-step authentication, says the joint ICT organisation Surf in response to inquiries.
Employees and students must enter an additional security code after logging in, usually generated by an app on their smartphone. The question remains whether the hackers bypassed this second step. It’s also possible that not all of the university’s applications were protected with this extra layer of security.
According to de Volkskrant, TU/e shared information about the hack with other educational institutions. In response, Radboud University announced last week that it had expedited the implementation of two-step login for a specific application, EduVPN. For many other applications at the university, users already had to enter an extra code when logging in.
EduVPN is an application by Surf that allows remote workers to connect to the university’s network. The institutions themselves determine the level of security on the application, explains Tom Hoven, spokesperson for Surf. “Our advice to institutions is to do this in a risk-based manner. Universities know where sensitive data is stored, so they decide where to implement two-step authentication.”
Last Monday, TU Eindhoven’s network was functioning properly again, and classes have fully resumed. The university has hired FoxIT to further investigate the hack. The police are also investigating, reports the university newspaper Cursor. The university plans to make the lessons learned from this hack public in April.