Data breach public groups in SharePoint/Teams
Due to a data breach reported on 21 March 2023 the data of approximately 750 public SharePoint groups (which includes data from Teams) were made publicly accessible. By using a specific search query students and colleagues were potentially able to access public groups and the data these contained. It is unclear whether access occurred. Data in the SharePoint groups ranged from regular personal data (e.g. names and university email addresses) to sensitive personal data such as CV’s and sensitive group chats. The breach was reported to the Netherlands Data Protection Authorities in March.
SharePoint groups allow for a public-private setting that determines whether the data stored in those groups can be found and accessed by other Sharepoint/Teams users. A large number of groups were incorrectly set to “public”.
How the breach occurred
An internal investigation has not revealed how the breach occurred. Some of the sites will have been set to be publicly accessible on purpose, but it remains unclear why access to other sites was not set to private. As the reason for the breach was unclear, the report about the data breach was delayed. The privacy and security of your personal data is of the highest importance, and that is why we are nonetheless informing you of the breach now.
Measures and further action
All necessary steps to fix the vulnerability have been taken. After the data breach was reported, an investigation was launched by the ISSC CERT team and the Privacy Office. The search code has been blocked and SharePoint sites can no longer be accessed in this way.
When creating a new group on MS Teams: please be mindful when setting access to the group to “public”, as this means any university staff member is able to access the group.
We deeply regret any inconvenience this data breach may have caused. We are committed to safeguarding your personal data and have taken steps to prevent similar incidents in the future.
Questions or concerns?
If you have any questions regarding this data breach, please do not hesitate to contact Leiden University’s Privacy Office or the Data Protection Officer at firstname.lastname@example.org.