Data migrated to new system

On Monday 5 January 2026, the university went live with BAS-InSite, our new administration system. In the old system, expense claims submitted by staff, among others, were processed by making them ‘creditors’ in the system. During the migration to the new system, all university suppliers to whom payments had been made in the past two years were transferred to the new system. People who had submitted expense claims and had therefore been made creditors were also part of this migration.

Data inadvertently visible 

In BAS-InSite, the conscious decision was made to allow all university staff to view our suppliers to ensure that procurement activities are carried out in a mindful and lawful way. The portal displayed the names and addresses of these suppliers along with a telephone number and email address. As people who had submitted an expense claim also figured in the migration, their names, addresses and telephone numbers inadvertently proved to be visible to university staff who were logged into the system. The field for email addresses was not filled in for these people. 

Reported by staff and changed in the system

On Monday 5 January, at around midday, the ISSC was notified that this personal data was visible. The data breach was resolved at about 14:45 hrs. Since then, the data of people who have submitted expense claims has no longer been visible to other staff members. Only the data of business contacts is visible in the Procurement portal in BAS-InSite. The standard overview of this supplier data has also been changed: only the place name is displayed alongside the supplier’s name. A supplier’s full address can be viewed by clicking through to an additional screen, an action that is logged by the system.  

Resolving the breach was our priority. Then the Privacy Office staff investigated whether data had been viewed and, if so, which data and by whom. They also assessed the risk the breach entailed. This included requesting log files from the supplier.

The conclusions so far:

• 661 staff members may have had access to the procurement page on which the personal data was inadvertently visible. 
• Based on the log files, we cannot determine whether searches were made to find specific people’s data.
  The names of 11   people were clicked on to see their detail page. This page did not contain any additional information.
• For these 11 instances, we have received statements from the staff who were logged in and have been able to determine that no misuse of personal data was made.
• The data breach has been reported to the Dutch Data Protection Authority.
• We estimate the risk of misuse of the data breach to be very low. Only staff from Leiden University who had logged in with multi-factor authentication could, for a short period, have had access to this data.
• In the (unlikely) event that a staff member with malicious intent had access, we consider it probable that a person’s detail page would have been opened. If that were the case, that would be registered in our log file. A satisfactory explanation has been provided by the colleagues concerned for these logged actions. 

If you want to check whether your address or telephone number has been viewed by a specific colleague, please contact: privacy@bb.leidenuniv.nl. We can look together at whether this person is one of the 661 colleagues who could have viewed your data. You can also contact the Privacy Office with other questions about this data breach at: privacy@bb.leidenuniv.nl.

Having resolved the breach and assessed the risk, we are now evaluating how this could have happened despite careful preparations and testing. The migration to another administration system is a relatively unique situation, which means that structural measures to prevent this are not standard practice. Before BAS-InSite went live, a technical control known as a pentest was performed to assess the security of the environment. We are currently investigating whether future pentests can evaluate not only the technical security but also the settings of the different system components.

We are also evaluating the steps taken to inform our community. We regret that some staff learned about the data breach from a third party.