Due to a vulnerability in the UvA Q web application, unknown parties were this weekend able to gain access to a limited amount of data in the student feedback system. The intrusion was responded to quickly after early detection by the Security Operations Centre (SOC) and intervention by the Computer Emergency Response Team (CERT). UvA Q was immediately taken offline.
UvA Q is used at the UvA to collect feedback on the education we provide. Using electronic surveys, students anonymously answer questions about the quality of the education they are receiving. The UvA needs this information to maintain the quality of our education and improve it where possible. The results provide teachers with information that they can use to improve their skills and their teaching.
Our ongoing investigations show that a database was downloaded during the intrusion. The database does not contain any passwords but does include names, UvAnet IDs, e-mail addresses of both students and teachers, student numbers and information on whether students had passed a particular course or not. It also includes student reports in which feedback is shown at an aggregated level per course, in some cases including a short reflection by the teacher(s) concerned. These reports are normally used for feedback via Canvas. The passwords of a limited group of UvA Q users (17) who work with the web application were also obtained. Those will now be changed.
The incident has been reported to the police and to the Dutch Data Protection Authority. The supplier of the application is working hard to upgrade it to the most recent and secure version. Until then, unfortunately, UvA Q cannot be used. We don't know exactly how long this will take. We realise that this will cause a delay in the completion of the feedback cycle at the end of the first block of education. We understand that this will cause some issues and we will try to limit the inconvenience as much as possible.
There is a chance that we will see an increase in phishing emails in the coming days. We ask all employees and students to remain alert to this and also to regularly change passwords in accordance with the applicable policies.
Read more about fake emails and how to recognize phishing and ransomware.
An email address has been created in order to provide staff and students with questions about UvA Q: UvAQ@uva.nl