The Cyberattack on the Hellenic Open University

The Hellenic Open University announced that its information systems were breached in October 2024, resulting in the exposure of 813 GB of data, which has since been found on the dark web.

The attack occurred on October 25 using ransomware software, where the malicious program gained access by exploiting specific user privileges. It infiltrated the university’s primary IT infrastructure, as well as backup storage, leading to encryption of the virtual machine management system and causing disruptions to secondary systems and the data network.

However, the university clarified that not all backup copies were affected, and after a thorough security review, these backups were successfully used to restore the university’s systems and services.

Extent of the Data Leak

The total leaked data amounts to 813 GB, but the university emphasized that this represents only a very small fraction of the institution’s total stored data, which spans multiple terabytes. This suggests that the breach was limited in scope.

The leaked files primarily consist of documents in formats such as .doc, .pdf, and .xls (Excel). These files were confirmed to be circulating on the dark web.

Personal Data That May Have Been Leaked

HOU provided details on the types of personal data that might have been exposed:

• Identity Information: Full name, father’s/mother’s name, status, nationality, gender, date of birth.
• Sensitive Identifiers: Tax Identification Number (AFM), Social Security Number (AMKA), ID card number, student ID, physical signature.
• Contact Details: Address, phone numbers (landline & mobile), email addresses (both personal and institutional), email communications.
• Academic and Educational Records: Grades, academic performance, diplomas, certificates of study.
• Health Data.
• Financial Information: IBAN, invoicing details, expense payment records.
• Professional and Research Data: CVs, research, professional, teaching, and published works.
• Official Decisions and Contracts: Collective body decisions, committee rulings, contracts, supplier details, and procurement offers.

The university clarified that, based on ongoing investigations, the actual leak appears to be more limited than initially estimated.

Official Response and Actions Taken

Following the attack, HOU immediately notified:

• The Cybercrime Division.
• The National Cybersecurity Authority.
• The Hellenic Data Protection Authority (HDPA), which was updated regularly on the situation.

Additionally:

• A special incident management team was formed.
• IT staff worked with a specialized cybersecurity firm to address the breach and contain its effects.
• The affected systems were isolated on the day of the attack (October 25, 2024).
• Guidelines were issued to affected individuals on protecting their personal data.
• Awareness training was reinforced for academic and administrative staff to enhance cybersecurity practices.
• A call for applications was prepared to hire additional specialized IT security personnel.
• A legal complaint was filed against unknown perpetrators responsible for the attack.
• HOU implemented targeted security upgrades, with a broader infrastructure overhaul in progress to strengthen protection mechanisms.

For security reasons, technical details of the implemented and planned measures were not disclosed.

Potential Risks for Affected Individuals

The university warned of possible consequences due to the leaked data, including:

• Phishing attacks targeting affected individuals.
• Email or phone fraud attempts.
• Unauthorized use of personal information leading to identity theft or fraud.
• Misuse of leaked data to create fake accounts or forge documents.
• Social engineering attacks exploiting the exposed information.
• Financial fraud, such as unauthorized transactions.
• Spam emails and telemarketing calls.
• Privacy violations, as personal data may be accessed by unauthorized individuals or groups.

HOU reassured that the number of affected individuals appears to be limited, and the extent of leaked data categories is smaller than initially feared. However, individuals were urged to take precautions to protect their personal information.

Recommended Security Measures for Affected Individuals

HOU advised affected individuals to:

• Change passwords immediately, especially for email and university-related accounts. Use strong, unique passwords with at least 10 characters, including uppercase and lowercase letters, numbers, and symbols.
• Avoid using the same password for multiple accounts.
• Be cautious of suspicious emails or phone calls asking for personal or financial information.
• Do not open links or download attachments from unknown sources.
• Monitor bank transactions for unauthorized activity and report any suspicious transactions to their bank.
• Use updated antivirus software.
• Limit public sharing of personal information on social media and other online platforms.
• Set up alerts for suspicious login attempts on online accounts.
• Report unusual account activity to service providers immediately.
• Register on the National “Do Not Call” list (in Greece) to reduce spam calls.
• Forward spam or phishing emails to HOU’s IT security team (abuse@eap.gr) for further action.

Ongoing Investigation

The investigation is still underway, with cybersecurity experts working to analyze the retrieved and classified files. Further updates will be provided as more details become available.