Computer attack on the UAB would have affected more than 650,000 files and criminals demand 3 M€
The university says it has not contacted the attackers and has no intention of paying the ransom that would release the encrypted documents
The ARA newspaper has been able to access a list of the documents affected by the computer attack at the Universitat Autònoma de Barcelona (UAB) which contains more than 650,000 folders and files. The attack has been perpetrated with a ransomware - a malicious software that encrypts the victim's documents and demands a ransom to be able to access them again - called PYSA. According to the computer security consultant José Nicolás Castellano, and as the ARA has been able to contrast, the attackers are demanding 60 bitcoins (about three million euros) to release the hijacked files, but UAB sources say they have no record of this because, following the recommendations of the Cybersecurity Agency of Catalonia, they have not contacted the attackers and have no intention of paying.
Among the affected documentation that the UAB has not confirmed, as the newspaper ARA has been able to verify from the list of names of the affected files, there are minutes of meetings belonging to different university bodies, student evaluations, teachers' curricula, academic programmes and certificates, invoices, payrolls of university staff, lists of email addresses, plans of buildings, payment orders, agreements with companies and institutions, contracts and even a list of security incidents on campus for eight years. The rector's commissioner for Information and Communication Technologies, Jordi Hernández, has explained to the ARA that they have no proof that all this documentation has left their servers. "We have a computer network that keeps a record of everything that happens, if all this large amount of data had left would have been recorded in the record, and we have no record", Hernandez insisted.
UAB sources say they have reported the incident to the Catalan Data Protection Authority. According to the Authority, whenever there is a security breach it must be notified and, "if the data security breach is likely to entail a high risk to the rights and freedoms of natural persons", it must also be communicated "without undue delay and in clear and simple language". Hernández explains that "as a precaution" they do not dare to completely rule out any possible leaks, but at present they consider it unlikely. He also assures that they follow the protocol for these cases "to the letter" and the recommendations of the Cybersecurity Agency and the Data Protection Authority.
The rector of the UAB, Javier Lafuente, has explained in declarations to the Els Matins de TV3 programme that they have found information that confirms which group is behind the attack and insisted that the university will not contact the cybercriminals. "We do not intend to pay", he said. He also said that, when the attack had already begun, they were able to stop the systems in time so that they were not all infected. Lafuente confirmed that the ransomware attacker is PYSA, although he added that there could be more attackers involved and that they are now working to recover the data. "The Catalan Cybersecurity Agency and a specialised company have been working with us since the beginning", insisted the rector, adding that they have 1,200 servers but three levels of security copies, and he was optimistic about the recovery of the encrypted data.