Notification regarding a computer attack on the University of Reykjavík

21.2.2024

Following a cyberattack on Reykjavik University (RU) at the end of January/beginning of February, where the University's systems were taken down and locked with encryption, experts have been working to analyze and investigate the attack, rebuild computer systems and recover data. That work has gone well. It should be noted that as soon as the security breach was discovered, extensive measures were taken to block the access of the attackers and limit the impact on the rights and freedoms of the individuals on whom RU processes information.

In a press release from RU on February 4th 2024, it was stated that there were no signs of large-scale data theft, although partial data theft could not be ruled out. It was also reported in the same press release that experts had not seen any traces of data other than some names, social security numbers, email addresses and encrypted passwords of users being copied from RU's systems. However, closer investigation has revealed that data was stolen. Experts believe that the attackers were able to download 185 GB of data from RU's central drives that housed a total of 15 TB (15000 GB).

Cyber-security specialists do not expect that it will be possible to see with certainty exactly what data was stolen from these central drives, even though the amount of data is known. The Data Protection Authority has already been informed.

The drives from which data was stolen contain data that could affect a large group of former and current students and staff, applicants for studies and jobs at RU, and others who are and have been related to the RU's operations. The data that was hosted on those drives contains information from RU's operations, which the University processes according to the nature of its operations, e.g. personnel matters, information about students, certain delimited research data, operational information, financial information as well as other data that might be personally identifiable. This includes information of a sensitive nature, e.g. information about grades, disciplinary matters, salary matters, and sensitive personal information in the sense of the Data Protection Act, e.g. information on union membership and health information that has been sent to the University. However, experts do not see that the private folders of individual employees have been entered. It is worth mentioning that data from RU's student psychological services was not stored on these drives.

The investigation of data on the central drives will continue within RU and the results will be reported to the relevant parties, if and when necessary.

Please note that this is not an exhaustive list of the types of information that could be affected, but the above should cover most categories of personal information stored on said drives.

Reykjavik University emphasizes that there is no indication that the attacker has misused this information, but it cannot be ruled out that the information has been copied and will be published publicly by the said party. RU monitors that aspect of the case and provides relevant information if and when necessary.

If any questions arise regarding the data theft, we suggest that you contact RU's Data Protection Officer via the email address personuvernd@ru.is .