Further Sample Communication to Interested Parties

Venerdì, 14 Giugno, 2024 (All day)
Following the communication to the concerned parties published on May 22 (Sample Communication to Interested Parties), regarding the data breach caused by the cyber attack by the criminal organization "Lockbit 3.0" against the University of Siena, we provide updates to the concerned parties based on the evidence that has since emerged from the analysis by the technical offices.
 
Regarding the breach, the University is now able to provide further information about the categories of individuals involved and the compromised data. The nature and methods of the cyber attack were such that they present a high risk to the rights and freedoms of individuals. Specifically, the technicians have verified that the consequences include:
Confidentiality breach: Unauthorized access to personal data occurred. Evidence also shows exfiltration of approximately 500 GB of data.
Integrity and availability breach: Unauthorized encryption of data and deletion of some backups occurred. Most of the affected data were service replicas of data stored and managed by other systems that were not impacted by the attack, and thus are now fully available to the University.
 
Regarding the categories of affected individuals, the breach involved:
Employees/consultants/external collaborators;
Users, contractors, stakeholders;
Students;
Professors;
Individuals holding social positions;
Vulnerable persons;
Recipients of benefits.
 
 
Regarding the categories of compromised data, the breach involved:
Personal identification data;
Contact data (e.g., phone numbers, email addresses);
Access and identification data (e.g., passwords);
Payment data (e.g., IBAN);
Income data (e.g., tax returns);
Salary data (e.g., payroll deductions, payslips);
Identification document data (e.g., ID cards, passports, tax ID codes);
Data revealing racial or ethnic origin (e.g., countries of origin of the concerned parties);
Health data (e.g., information under Law 104/92);
Scanned signature data;
Data related to academic or professional career (e.g., CVs, student numbers);
Internship-related data.
 
Potential risks and probable consequences of the data breach for the concerned parties include, among others:
Identity theft or impersonation;
Fraud attempts and economic losses;
Reputational damage;
Illegal and unauthorized processing of exfiltrated data;
Loss of control over personal data;
Limitation of the rights of the concerned parties;
Unauthorized third-party knowledge of the data.
 
The University, with regard to the measures to contain the negative effects of the violation and to remedy it, in addition to reiterating those already reported in the public communication of May 22, announces that it has:
Conducted, where promptly possible, direct personal communications to the affected parties regarding the exfiltration of personal data contained in the image of the identity card and is preparing personal communications to be sent to the affected parties concerning the violation of data related to disability conditions;
Set up a dedicated collection point, agreed upon with the competent Police Authority, at the University's Legal and Advocacy Division to facilitate criminal complaints related to the exfiltration of personal data contained in the images of identity cards.

 

The University advises the concerned parties to mitigate the potential negative effects of the illegal processing by being cautious of any communications requesting financial transactions and/or personal information. Monitor social networks for any attempts to use the data for unauthorized or illegal purposes (e.g., phishing, identity theft); always verify the authenticity and origin of requests received and do not ignore any anomalies.
 
 
Additionally, for better protection, it is suggested to change the UnisiPass password through the University's MY platform – https://my.unisi.it – for which notifications have been sent regarding credentials not updated for over a year.
Further precautions to protect against phishing attacks can be found on the Privacy Guarantor's website at: https://www.garanteprivacy.it/temi/cybersecurity/phishing.
 
 
This communication is made publicly as personal communication to each concerned party would require disproportionate efforts due to the large number of potential parties involved, their diverse origins, the difficulty in finding their contacts, the volume of compromised data, and the significant organizational burdens on the administration. However, upon specific requests, the Incident Response Team and the Data Protection Officer are available for targeted checks through the technical offices.
 
 
The Incident Response Team and the Data Protection Officer can be contacted at the dedicated data breach address: [email protected].
The Data Protection Officer is Dr. Chiara Silvia Armida Angiolini, and can also be contacted at: [email protected] or [email protected].