Newsroom
Encrypted folders with stolen information from Open University of Cyprus may be available on the dark web, where data brokers and identity thieves can now buy access to private information of students and staff after the institution failed to pay ransom.
Medusa, a notorious ransomware gang that claimed the cyberattack, had given the public university 14 days to pay $100,000 in exchange for release codes.
The payment deadline expired on Thursday, giving rise to social debate on data security and how those affected can protect their private information.
Officials said they were not sure if data had been leaked online, while Cyprus Police said this week whey, too, had access to the dark web, an overlay network within the internet that can only be accessed with specific software.
Victims’ information may be stored online on the dark web in encrypted form, while those wishing to decrypt the files -whether they are victims or evil doers- cannot do so without help from Medusa
But the attackers on the OUC network claimed to have penetrated file backup systems, targeting mail servers, database servers, and security software.
Local media said student lists with personally identifiable information, financial details of research contractors, and other information already appeared online.
Knews understands that victims’ information may be stored online somewhere on the dark web in encrypted form, while those wishing to decrypt the files -whether they are victims or evil doers- cannot do so without help from Medusa.
Possible uses of stolen information typically include impersonating someone in order to open a line of credit with a financial institution or using sensitive information for malign purposes.
Similar attacks took place last month at the public-funded flagship University of Cyprus as well as the state’s Land Registry, where officials said computer servers were shut down temporarily to prevent malicious access.
Cyprus Police said no ransom would be paid to Medusa in the case of Open University, while it was not clear whether ransom was paid in other cases.
But Cyprus’ commissioner for personal data protection, Irene Loizidou-Nikolaidou, says it is still not clear if any sensitive data in all three cases have been leaked online.
Loizidou-Nikolaidou told state radio on Friday that her office was reviewing public notifications from affected organizations, saying some more information was still pending from OUC.
“Organizations are obligated to notify those affected,” the commissioner said, adding that citizens could file complaints with her office.
“It is proven that not complying with rules on notifications is counter-productive to the organizations,” she said.
According to Loizidou-Nikolaidou, there were more organizations in the private sector reporting attacks than in the public sector, adding that last year her office had 67 cases while this year so far there were 30.