Skip to main content
SDUnet

Search

Dansk
Menu

Data protection and information security

Security breaches

Most people experience being involved in a security incident at one point or another. It's what can happen, but when it does, it's important that breaches are handled as soon as possible. Here's what to do when a breach occurs.

Dealing with security breaches

  • Breaches must be reported, partly to protect the individuals whose information is involved, partly to prevent possible damage to SDU's business, and not least to learn from the incident.

    It is not enough to simply ask the recipient of a misdirected email to delete it, to fail to register the breach because your computer was "only" gone for an hour on the train or that "they have a duty of confidentiality, so it doesn't matter." All incidents must be registered on SDU's internal security incident log.

    When you receive emails, you should always make sure that they are sent by a trustworthy recipient (e.g. call the sender or ask a colleague if they have received a similar email if you receive something suspicious). In such a case, you can use the "Report Phishing" button in Outlook. If you have accidentally clicked on a suspicious link and fear that you have lost control of your IT equipment, fill out the security breach report form.

  • When you report a security incident via the form, the University of Southern Denmark processes information about you - specifically your full name and email address. The data is processed solely for the following purposes:

    • To identify the person who has reported a security breach
    • To be able to acknowledge the report
    • To be able to contact the reporter if further information about the case/incident is required

    The data is therefore processed solely to enable SDU as data controller to comply with the rules on keeping an internal log of security breaches. If you have any questions about the processing of your personal data in this regard, you can contact SDU's Data Protection Officer.

  • If you are in doubt about anything, you can contact your local information security coordinator. SDU RIO and/or SDU IT will receive your report and assess the case.

    Report security breaches

Definition of a security breach - the formal one

A personal data breach has occurred when the breach results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether the processing is physical or electronic. Loss of or unauthorised access to information that is not personal data but is of a grade worthy of protection (e.g. patents, confidential agreements, contracts or other) must - just like a personal data breach - be reported if it is lost or becomes accessible to unauthorised persons.

Examples of security breaches

With many different types of information being processed at SDU on a daily basis, it can be difficult to determine whether or not there has been a security breach. See the examples below.

  • This is the type of breach we often see at SDU:

    • Mails sent to the wrong recipients
    • Assignments sent for external assessment that have been made available to unauthorised persons
    • Incorrect decisions
    • Attached emails sent to the correct recipient etc.

    All emails with personal data sent to the wrong recipient (or with incorrect content), even if it is internal between SDU employees, must be reported as a personal data breach.

  • The employee realised that they had access to recorded videos (information material, study group meetings, interviews, etc.) that they had no purpose for watching. The source of the breach was the setup of the individual Teams sites. If the Teams site is set up as a "public team", then anyone with an SDU account has access to (and the ability to edit, add documents, etc.) the Teams site in question - and several staff and students were not aware of this.

  • A SharePoint site was used for student travel reimbursements. An SDU employee had created and managed the site, but when the employee left SDU in 2016 +/-, no position had been taken on who should take over the site/whether the site should be deleted.

    In 2020, a change was made to the overall SharePoint access rights, which made it possible for people with a little technical savvy to search the site via the URL - making personal data accessible to unauthorised persons.

  • After a technical change in Pure, information that was previously hidden in PURE was publicly displayed on the internet. This included selected employees' social security numbers, addresses and named family members. This was a negative consequence of the technical change, and this type of information should not be freely available on the internet.
  • SDU has experienced several examples where lecturers have published slides or other course material containing personal data. This could be names, X-rays with CPR numbers, cars with licence plates, non-anonymised data from surveys, etc. Of course, you are allowed to indicate sources (name, and thus personal data) to comply with scientific integrity. If you want to use examples in your teaching, use names like "Anders Andersen" or "Børge Børgesen".
  • An employee at SDU had received IT technical support via remote access. Later in the day, it was discovered that the remote access had mistakenly not been cancelled. Another SDU employee could therefore potentially have had access to ordinary, confidential and sensitive information without a purpose. It was therefore reported as a personal data breach.

Aggregated list of common breaches experienced across all companies/organisations

  1. Email sent to wrong recipient
  2. Lost computers/tablets/smartphones/dictaphones
  3. Forgotten documents with personal data in a physical location (e.g. at the printer or in an examination room)
  4. Personal data accessed by mistake (e.g. incorrect access rights to systems/documents/other)
  5. Loss of information due to power failure (e.g. research material in freezers)
  6. Information is accidentally deleted/changed or information is disclosed to an unauthorised person/company/institution
  7. Reaction (e.g. clicked on link and then (possibly also) logged in) to email with link from what turned out to be an untrustworthy sender (phishing)

Do you have any questions?

The GDPR and Information Security Coordinators are your local contact and advisor for day-to-day data protection and information security at SDU.

See also