Data Breaches at FSBS: How a simple mistake can have serious consequences

At the Faculty of Social Sciences, we work with a lot of sensitive information—ranging from student records and research data to emails and login credentials. With this comes the responsibility to protect that data from accidental exposure or misuse.

A data breach occurs when personal information is lost, accessed by unauthorized individuals, or exposed to unintended recipients. This could happen in simple, everyday ways: an email sent to the wrong person, a folder shared too broadly, or a misplaced USB stick. These breaches may be accidental, but their consequences can be significant—for both individuals and our institution.

While we rely on digital tools like Microsoft Teams, OneDrive, and Outlook to keep our data secure, it’s essential to remember that these systems are only safe when properly configured. For example, Microsoft Teams allows us to create both private and public environments. When setting up a Teams group for a course, it’s important to use the ‘Class’ template. This template is private by default, meaning participants must be manually added. This ensures that only the intended students and staff can access the group’s materials. However, Teams also makes it easy to share documents or folders with the entire university—sometimes too easy—so it’s crucial to check sharing settings before sending out links.

Zooming out from specific tools, we should understand that a data breach isn’t limited to technical failures or hackers. It includes any situation in which data is accidentally shared, lost, or deleted without proper authorization. And even when we are cautious, mistakes can happen. What matters most is that we act quickly and correctly when they do.

If you suspect that a data breach has occurred—or even if you’re unsure—please report it immediately via datalek@uu.nl. The report will be passed on to the central Privacy Officers at Legal Affairs, who will then contact the faculty’s Privacy Officer. Together, they will assess the situation: Is the breach ongoing? What kind of data is involved? Who might be affected? And in some cases, should the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) be informed?

Timely reporting ensures that we can respond appropriately and limit any potential harm. It’s not about assigning blame, but about protecting students, colleagues, and the integrity of our academic work.

Microsoft Teams privacy setting

At the top: the ‘class’ template you can use when creating a new Team, where the default privacy setting is private. Bottom-left: for other templates you can choose whether the Team and its files will be private (restricted to people you add), or public (findable and accessible by anyone at the UU). Bottom-right: when you want to check whether your Team is private or public, go to Manage team > Settings and look for the lock icon above ‘Edit’.