ICT, Security
Data breach in public groups in SharePoint/Teams
A data breach was detected on 24 October 2023. Data from about 155 public groups (open to all staff) in SharePoint (which also stores Teams data) could potentially be viewed by students and staff who have access to SharePoint. These public groups were closed (set to private) immediately after the data breach was identified. Parties or individuals outside the university did not have access to the data.
The groups in question were created after a previous data breach in March. Groups existing at that time were closed but it turned out that some new SharePoint groups were set as public by default. This meant that students/staff who were not members of these groups were able to view the data.
As groups were also deleted and created at the time of the investigation, it is not possible to determine which personal data could be viewed. It does at least include names, email addresses and ‘conversations’ via the chat function.
The data breach has been reported to the Personal Data Authority.
Groups in SharePoint/Teams
Within SharePoint and Teams, you have the option to set a group as public or private. This determines whether data in the group can be found and accessed by students and staff who are not members of that group. A large number of groups were set to public. Some groups are deliberately public because this suits the group’s purpose. Other groups were not deliberately set to public but were done so anyway by human error.
Measures and follow-up
We regret the inconvenience this data breach may have caused. Protecting the personal data of our students and staff is our top priority and we have taken steps to prevent such incidents in the future.
The ISSC’s CERT team and the Privacy Office launched an investigation after the data breach was reported. The public groups have been closed. If groups need to be reopened, they can be done so through an application process and a check based on the ‘four eyes principle’. The application process for public SharePoint sites has also been changed to ensure that such data breaches are less likely to occur in the future.
Questions?
Please contact the Privacy Office or Data Protection Officer with any questions: privacy@bb.leidenuniv.nl.