Sample Communication to Interested Parties

Following the cyber attack on the University's IT systems by a cyber criminal organisation, we are writing to inform you that a personal data breach has occurred, potentially presenting a high risk to the rights and freedoms of individuals.
 

From the analysis conducted so far by the university's technical offices, with the support of a specialized company and in collaboration with the National Cybersecurity Agency (ACN), it has been determined that the cyberattack exclusively affected the University's virtualization infrastructure. This attack resulted in the loss of some data, a small portion of which is currently unrecoverable, and the loss of confidentiality of some data, quantified at approximately 500 GBytes, including personal data.

Further Communication to Interested Parties

Through appropriate damage analysis operations, and the subsequent initiation of remediation and system restoration activities—currently still ongoing—it has been verified that the breach involved personal data, including contact information, personal identification, administrative, contractual, and potentially sensitive data, concerning individuals from various stakeholder categories (administrative staff, faculty, students, suppliers, freelancers, and generally anyone who has interacted with the University).

At this time, technicians have confirmed that the criminal organization named "Lockbit 3," in addition to having accessed a significant volume of personal data processed by the University for its institutional purposes, also exfiltrated files contained in some folders on the shared storage between offices and encrypted a substantial volume of personal data. Specifically, a database containing various types of data was encrypted; most of the data affected by the encryption were replicas of data stored and managed by other systems that were not impacted by the attack. The data for which recovery cannot currently be guaranteed are being cataloged.

The cybercriminal organization Lockbit 3.0 has disclosed the attack and data exfiltration on the dark web, publishing some images of the stolen documents as proof and stating that they will make the data available on their Data Leak Site (DLS) starting May 28 at 18:03 UTC, which is 20:03 Italian time.

Continuing Communication to Interested Parties

As part of the ongoing activities to monitor and contain the negative effects of the breach, the University has implemented the following measures in addition to those already adopted immediately after the event and described in the previous communication:

• Continuous and constant monitoring of incoming and outgoing Internet traffic on the University's network to identify any residual threats during the restoration of operations;
• Adoption of necessary technical and organizational measures to enhance the security level of the University's systems, such as expanding the monitoring perimeter of events on the institutional SIEM, enforcing traffic policies on the perimeter firewall, and implementing additional security measures for VPN access and unisiPass accounts;
• Secure restoration of network service functionalities that were deactivated following the attack or precautionarily to prevent the compromise of additional systems. In particular, full access to shared storage has been restored for personnel accessing through virtual terminals. Access to storage for personnel working with physical PCs will be activated only after ensuring the installation of antivirus software agents on their PCs;
• Providing new remote access methods to internal network services to technical-administrative staff following union consultations;
• Increasing the staff of the Organization and Information Systems Area by hiring five personnel, one of whom is specifically dedicated to the University's cybersecurity;
• Inventorying exfiltrated shared folders: the content analysis is underway to identify the type of personal data breached and the specifically affected individuals;
• Inventorying data that has been completely lost to ensure specific mandatory communications;
• Daily meetings of the Incident Response Team to monitor the progress of restoration activities, implement consequent measures, and define internal communication policies;
• Communicating to academic bodies to disseminate security enhancement policies and consequent decisions.

Assessment of Potential Risks and Consequences

At present, we have assessed that the potential risks and likely consequences of the personal data breach resulting from this attack, although not definitively confirmed, could include, among others:

• Identity theft or impersonation;
• Misuse of exfiltrated data for purposes contrary to law and illicit activities;
• Loss of control over personal data;
• Limitations on the rights of the individuals concerned;
• Unauthorized access to the data by third parties.

The University, while regretting the incident, advises individuals to be vigilant and take precautions to contain and mitigate the possible negative effects of unlawful processing. It is recommended that individuals pay attention to any communications requesting financial transactions and/or personal information, as these could be attempts to misuse data for unauthorized or illicit purposes (e.g., computer fraud, phishing, identity theft). In this regard, it is advised to always verify the authenticity and source of such communications.

In addition, to provide further protection to all individuals involved, it is suggested to change the unisiPass password through the University's MY platform - https://my.unisi.it, for which timely notifications have been sent for credentials not updated for over a year.

Moreover, additional precautions to protect against phishing attacks can be found on the website of the Italian Data Protection Authority, at the following informative page: https://www.garanteprivacy.it/temi/cybersecurity/phishing.

The University of Siena and the Data Protection Officer remain fully available for any needs or clarifications. It is emphasized that, as soon as possible, based on the technical timing required to identify the types of data and the individuals and/or categories of data and individuals specifically involved in the breach, further communications will be provided in the most appropriate forms.

The Incident Response Team and the Data Protection Officer can be contacted at the dedicated data breach address: [email protected].

The Data Protection Officer is Dr. Chiara Silvia Armida Angiolini and can also be contacted at the following addresses: [email protected] or [email protected].