The stolen laptop contained the names and addresses of 14,000 students, the personal data of 1,100 employees and the application letters and CVs of 200 applicants. All this information was saved locally on the non-encrypted hard disk. Encryption is a coding system that only allows access to authorised users. Without encryption, a hard disk is relatively easy to read.
The laptop was stolen on 17 September. For privacy reasons, TU Delft is not making it known whose laptop it was or in which service or faculty the person worked. TU Delft believes that the thief stole the laptop for the laptop itself rather than for the information as it was a physical theft rather than a cyber attack. “We have to see if the stolen personal data will be used in any way,” says Erik van Leeuwen, TU Delft Data Protection Officer. “Should this be the case, TU Delft will take the required measures such as reporting it to the police.”
What to watch out for
In the meantime, the data leak has been reported to the Dutch Data Protection Authority. As far as possible, the people whose data was contained in the laptop have been informed of the theft and asked to be alert. TU Delft’s privacy team believes that it will have contacted everyone by the beginning of next week.
At present about 35% of ICT managed systems are encrypted
Van Leeuwen says that TU Delft has received a few dozen responses. “They are saying that they appreciate TU Delft informing them about this, but they also raise some issues. Staff and students are asking what they can do and what they should watch out for if the personal data that was leaked is being misused.”
The stolen laptop incident points to a weak point in TU Delft’s data security. At present about 35% of ICT managed systems are encrypted. From summer 2019 onwards, all new laptops were encrypted as a matter of course, but several older laptops are still to be done. At the moment this can only be done if the laptops are physically on campus and this has been delayed by the corona crisis. ICT is working on a solution that will soon be rolled out.
What can staff and students do in the meantime to make sure their data is secure? Van Leeuwen advises them to use secure storage locations such as Surfdrive. He also requests everyone to remove the personal data that they do not need anymore on time. “If your laptop is not yet encrypted, be even more aware of the data that you save locally and what data will be synchronised locally such as through Surfdrive. If necessary, turn the synchronisation off.”