The AStA hereby informs you about a data breach in which data of students and external persons were probably made accessible to unauthorised persons:

What happened?

Several files containing information on internal financial data of the constituted student body of the University of Rostock from the years 2020 and 2021 were publicly available for four months in the StudiCloud, the cloud for student committees of the University of Rostock.
The reason for this event and its late discovery lies in the release structure of documents in StudiCloud. It is often not possible to see exactly who has access to which documents. Therefore, it was not realised that the above-mentioned documents were available to the university public.

When did it happen?

The incident was noticed in the night from 20 March to 21 March 2024. The documents had been available to the university since November 2023.

What data is affected?

In detail, the files contain the following personal data

• Date of the transfer
• Surname and first name
• Payment subject
• Transfer amount
• IBAN and BIC in three cases
• Signatures in three cases
• Who has received the data?

The StudiCloud can be accessed by anyone who has a corresponding account at the University of Rostock. It is no longer possible to prove who actually accessed the documents, as the StudiCloud log data does not go back far enough.

What measures have already been taken to limit the damage?

The subfolder containing the documents has been deleted.

Awareness of the release of documents in the StudiCloud is being raised once again.
In particular, we are working on a better concept for processing data protection incidents to improve the implementation of measures and communication in the event of data protection incidents.

The StudiCloud settings for sharing documents will soon be revised to make the public settings clearer. The aim of this is to ensure that such errors can be avoided completely at best, but at least recognised at an early stage.

It is also planned to check all other documents in the StudiCloud for public access in a timely manner. However, it cannot be assumed that any other documents related to this incident are still publicly available at the university, as the folder in question has been completely deleted.