On Tuesday morning, 3 May, an employee reported having access to reports in Unit4, the financial system used by the University of Twente, to which this employee should not have had access. It turned out that this employee was authorised to view a report with personal data of employees and guest employees, while the employee should not have had access to this. We appreciate that this was reported quickly. This helps to keep the system secure.
The cause was immediately investigated internally. It turned out that during the introduction of this specific component in Unit4 on Monday afternoon, 2 May, an error was made in the allocation of authorisations. As a result, all employees who had access to this section in Unit4 could see this data. The data concern: name, M-number, UT e-mail address, date of birth, bank account number (only of employees, not of guest employees), date of commencement of employment, employee type and function.
After discovering this, the Finance service department immediately ensured that the authorisation was adjusted so that there was no longer any unauthorised access. It is not possible to determine how many people actually had unauthorised access to this data. However, we had seen that 116 employees logged in between the time of implementation and the time when the roles were changed. We cannot say for sure whether these people have seen the data.
Finance has, besides adjusting these roles, performed an extra check on other views and linked roles. No inaccuracies were discovered. The Data Protection Officer (fg@utwente.nl) has registered this incident as a data breach and is also reporting it to the Dutch Data Protection Authority.
We deeply regret that this incident occurred and apologise for it. If there are any questions following this message, please let us know. You can e-mail your question to unit4@utwente.nl.
Dennis van Zijl
Director of Finance
