According to Article 34 of the General Data Protection Regulation (GDPR), data controllers must communicate the personal data breach to the data subject without undue delay. Karlstad University has previously issued information that such a breach has occurred (see links to previous information at the bottom of this text). The following is a summary of the personal data breach, in accordance with Article 34.2 of the GDPR.
Since 15 August 2017, Karlstad University has been using the system Adato for documenting long-term sick leave and rehabilitation. Adato is provided by the company Miljödata, which stores the information on its own servers. On Saturday 23 August, Miljödata was the victim of a cyberattack.
Karlstad University was notified about the cyberattack on Monday 25 August. At this point, it was still unclear whether any personal data had been leaked. The university reported the personal data breach to the Swedish Authority for Privacy Protection (IMY) and the Swedish Civil Contingencies Agency (MSB).
Miljödata’s continued investigation showed that the attackers had gained access to parts of Miljödata’s systems and that information concerning current and former employees at Karlstad University had been leaked and published on the darknet.
Information that has leaked includes:
- Names
- Personal identity numbers
- Contact details (work email addresses, phone numbers and home addresses)
- Number of sick days, if 15 days or more (long-term sick leave)
According to Miljödata’s final report, no specific health-related information, such as causes of illness, medical certificates, rehabilitation plans or notes by managers, has been leaked. Should new information emerge, the university will provide an update.
If you are a current or former employee of Karlstad University and have questions regarding this situation, you are welcome to contact the HR Office at the university via email: hrsupport@kau.se
You are also welcome to contact the university’s data protection officer: dpo@kau.se
There is a risk that the stolen data could be used for fraudulent purposes or combined with other information. However, it is not possible to assess the likelihood of this happening.
Due to the personal data breach, all current and former employees of Karlstad University are urged to remain extra vigilant.
You can find useful tips and advice on how to protect yourself against digital fraud on the website of the Swedish Civil Contingencies Agency (MSB), including information on how to recognise some of the most common methods used by attackers. There are also checklists on what you can do to increase your level of security and what steps to take if you have clicked on a suspicious link or attachment.
Previous information issued by Karlstad University regarding the personal data breach:
- How to protect yourself against digital fraud
- Certain information has leaked following the cyberattack
- Update about cyberattack on system provider
- Cyberattack on system provider
