Based on the information available to us from the analyses of the cyber attack on our university, we know that data has been leaked. As a first step, we are informing you about this as part of our obligation to notify you pursuant to Article 34 of the GDPR.
What happened?
On 18 September, 2023, a cyber attack occurred at Furtwangen University. As a first measure, we shut down all systems and took them offline. According to current knowledge, the malware may have been introduced into our IT systems before this date. It cannot be ruled out that the attackers will make the leaked data available to undetermined third parties. Parts of this data may be of considerable relevance under data protection law.
What you must now pay attention to!
1. Follow the instructions of Furtwangen University regarding the reassignment of your passwords and the establishment of the further security architecture for the HFU services.
2. If you use your previous HFU password with other services, change the passwords with different services to passwords that are independent of each other. It is generally not recommended to use the same password multiple times or similar passwords. Avoid using personal characteristics when assigning passwords.
3. If you have saved passwords on the central file storage of Furtwangen University or on your end devices, make sure to change them.
4. Pay special attention to phishing campaigns via email and other communication channels in which you are asked to provide login data or are redirected to third-party sites where you are asked to register by providing your data. Also question such requests that contain personal information about you in order to build up supposed trust.
What is Furtwangen University doing?
All affected systems have been shut down. We have begun to completely rebuild HFU's central IT infrastructure. The findings and recommendations of the external service provider, the investigating authorities and the Baden-Württemberg cybersecurity agency gained in the course of the incident are being implemented in the new security architecture in a university-specific manner. This means both technical and organisational changes. The reconstruction will be carried out in stages and prioritised. It may still take several months before all IT systems are fully restored and transferred.
We have engaged an IT crisis service provider to help us manage the IT security incident. Furthermore, we have reported the incident to the State Commissioner for Data Protection and Freedom of Information (LfDI) in accordance with Art. 33 DSGVO. We will continue to inform you on an ongoing basis, including via this website, in general terms as well as with regard to reporting requirements pursuant to Art. 34 DSGVO.
The official Data Protection Officer of Furtwangen University has been involved. If you have any questions, please feel free to contact us by email at datenschutz(at)hfu.eu.
Rolf Schofer, Rector and Andrea Linke, Chancellor of Furtwangen University