Recently, two computers were stolen from our campus. One of the computers contained archive data of former students. This setup was stand-alone customisation and therefore not equipped with the IT security measures usual for VU Amsterdam. As the possibility of unintended or unauthorised access to this (personal) data cannot be ruled out, VU Amsterdam reported this to the Personal Data Authority (AP). An information page has been set up where the latest state of affairs is updated and answers to frequently asked questions can be found. To reach as many persons involved as possible, VU Amsterdam has written to more alumni than individuals actually affected.
Extra security measures
VU Amsterdam takes the matter highly. After discovering that the computer was missing, VU Amsterdam's Security Operations & Control Centre was called in to investigate the (possible) impact of the incident and a risk analysis was made in collaboration with the data protection officer. A report was also filed with the police and security footage, showing the suspected perpetrators, was shared with police. "Privacy of our students and staff is an absolute top priority for us. We therefore deeply regret that this happened. We are reassessing whether there are similar customised situations for VU Amsterdam", says board member Marcel Nollen.
What is VU Amsterdam doing about prevention?
Devices issued and managed by the IT department are encrypted by default. The computer stolen was a stand-alone setup. This setup was unique and customised and therefore not equipped with the IT security measures usual for VU Amsterdam. The data on the computer was not deleted in time according to the retention period list. An unfortunate case whose confluence of circumstances we - once again - greatly regret.