The situation around the data security incident at the University of Pannonia, which has been stirring up a lot of dust these days, is taking an increasingly interesting turn.
It was first reported in the press on Monday that the University of Pannonia was hit by a serious data security incident, during which the personal data of many students was published on the Internet. It also meant that a database could be found on the World Wide Web, even with the help of Google, that shouldn’t have been there in the least. After the case came to light, it turned out that the database contained the names of those who enrolled in the dormitory for the 2007/2008 academic year, the code of Neptune, the password used on the dormitory admissions website, ID card number, bank account number, home address, etc. contained.
The University of Pannonia has launched an internal investigation, but - according to our current information - has not yet made a report to the police. On the other hand, the Veszprém Police Headquarters initiated an investigation into an unknown perpetrator on its own competence due to a well-founded suspicion of a breach of the computer system and data.
A lot of different information came to light this week about exactly what happened at the university. First, a blogger known as RaszP drew attention to what had happened, after which an administrative omission or error could be suspected in the background of the case. Then, later, a letter was sent out by the Student Government in connection with the case. This can still be read in many places on the Internet, but we do not publish it because we see it as further increasing the vulnerability of student data. The e-mail states that the passwords have been changed not only in the dormitory system, but also in Neptune. This wouldn’t even be a problem, as many students use the same password for different systems. However, the HÖK letter also reveals that automatically generated passwords have come into effect, which can be decrypted with a good chance through the information in the letter and, among other things, searching various community-building websites, at least until students change these passwords.
The letter from the HÖK was followed by an official statement in which the Rector reported on what had happened and described the findings of the investigations carried out so far:
"Recently, there was an attack against the Dormitory server of the Pannon University, which contained data related to the dormitory applications of the students of the Veszprém Campus in a temporarily saved file. During the break-in, the intruder deleted security files on the server, thereby making the database accessible to unauthorized persons via the Internet. After this became clear, the system administrator immediately took the necessary protective measures and immediately ensured that the data was no longer accessible to unauthorized persons. The affected data file comes from a temporary save of a previous state of the electronic dormitory application of the Veszprém Campus. The database contains only a fraction of the student data reported by internet news portals, but this does not affect the seriousness of the case."
The rector mentioned that the dormitory system concerned is only accessible to students for one month per academic year, during the dormitory application period. He then added that "even before the incident, a decision was made that the Pannon University would like to devote additional significant financial resources to the security of its IT systems and protection against external attacks." Taking into account the events, it seems that this decision was somewhat delayed, however, it is also easy to imagine that due to a possible human error, even with more serious technical protection, the incident could not have been prevented. Then, on the other hand, gaps in safety regulations arise. Unfortunately, there is currently no further official information regarding the alleged intruder and his activities.
We know that the specific security incident occurred on September 20th, so we still have to find out what happened to the data over the last few weeks and why the incident has only just come to light. As more relevant information comes to light, we will, of course, report on it.
