Hackers release stolen Uni data online
The notorious Medusa ransomware gang has fulfilled its threat and leaked stolen information from the Open University of Cyprus to the dark web, making it available to data brokers and identity thieves.
The ransomware group leaked encrypted folders with sensitive data as the institution refused to pay a ransom of $100,000 after a two-week notice from the day of the cyberattack. The payment deadline expired on Thursday, with the OUC internet security expert Dinos Pastos confirming that the data has been published online.
Quoted by Phileleftheros daily, Pastos said that files are currently not accessible, but he believes it is a matter of days before we see data leakage on various websites.
“At the moment, they only exist on the dark web.” He estimated the files were stolen over several days due to the sheer volume and added that there are files from 2010 onwards.
Local media said student lists with personally identifiable information and financial details of research contractors had appeared online.
Pastos also believes the leaked data could contain passwords, files, photos, medical certificates, and emails.
Cyprus Police said that while they had access to the dark web, the data could only be accessed with specific software.
Victims’ information may be stored online on the dark web in encrypted form, while those wishing to decrypt the files cannot do so without help from Medusa.
Commissioner for personal data protection, Irene Loizidou-Nikolaidou, told state radio CyBC on Friday that her office will be looking into measures and safety networks applied by the institution.
Loizidou-Nikolaidou said the fact that OUC refused to pay the ransom would not impact the probe, as her office’s task is to determine whether the institution had taken all designated measures to protect personal data.
The Commissioner urged people who may be affected by the leak to inform their banks and other service providers to be on the lookout for any suspicious activity.
“If I had anything to do with the OUC, I would be on the phone with my bank right now,” said the Commissioner.
She said that her office had received 67 complaints of personal data leaks in 2022; this year, they have received 30.
“However, we have never received a complaint concerning data loss of this size”.
Cyprus has suffered from a series of high-impact cyber incidents since the beginning of 2023, the most notable being a paralysing attack against the online portal of the land registry on March 8.
Three months earlier, hackers targeted the emails of members of the Cyprus University of Technology (TEPAK).
After gaining access to the accounts, the hackers managed to trick officials by giving instructions to pay a ‘significant amount’, pretending to be a European Union agency. Last month, a similar attack on the state-funded University of Cyprus saw servers shut down to prevent malicious access.
No details were provided about the incident, but services went offline as a precaution.