Notice regarding a personal data breach

Dear All,

 

The data controller, the University of Warsaw (UW), with its registered office in Warsaw at Krakowskie Przedmieście 26/28, 00-927 Warsaw, pursuant to Article 34 of Regulation (EU) (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the GDPR), hereby informs you of a potential personal data breach.

 

This notice is addressed to members of the academic community of the University of Warsaw, including students, doctoral candidates, prospective students, employees, and persons collaborating with the University, whose personal data may have been affected by the incident that occurred on the night of 15th/16th April 2026.

 

We understand that such situations can cause concern, which is why we are taking this matter very seriously. We took immediate action to mitigate the impact of the incident and to better secure data in the future. We are continuously analysing the situation and doing everything possible to ensure that similar incidents do not recur. At the same time, the University of Warsaw has reported the breach to the President of the Personal Data Protection Office, and we are actively cooperating with CERT Polska and the Central Bureau for Combating Cybercrime (CBZC).

 

Below, we provide:

1. Description of the nature of the breach – what happened, a description of the causes and the course of the incident.
2. Information on possible consequences – what this may mean for you, and what the potential effects of this situation are.
3. Information on the actions taken and measures implemented to mitigate the impact of the incident – what we are doing about this, what steps we have already taken and what further action we are taking.
4. Guidance on possible steps you can take yourself – how you can further protect your personal data.

 

Description of the nature of the breach

The breach occurred as a result of unauthorised access to the University of Warsaw’s IT systems. An unauthorised person logged into the system using valid credentials (username and password) that had previously been compromised – most likely as a result of malware on the user’s device.

 

Thanks to the use of valid login credentials, this activity did not arouse suspicion for a long time. Those responsible for the attack operated in a dispersed and difficult-to-detect manner, gradually gaining access to further parts of the system.

 

During the incident, the following occurred:

– a breach of confidentiality:

• unauthorised access to personal data,
• its copying, and subsequent publication on the internet (darknet),

– a breach of integrity:

• potential modification of data (this cannot be completely ruled out).

 

There was no permanent blocking of access to data (encryption) or disruption to the operation of the university’s key systems.

 

The incident was detected on 9th February 2026 as part of preventive measures carried out by the security team in response to reports of a global ransomware campaign. Security measures were implemented immediately upon detection. At that time, the analysis did not indicate that any data had leaked outside the university’s infrastructure.

 

The analyses carried out indicate that:

• the data may have been copied between January and February 2026,
• it was published on the darknet during the night of 15–16 April 2026.

 

What data might have been affected by this incident?

 

The analysis established that the dataset published on the darknet comprised a very large number of files (approx. 200,000, size: 850 GB). The vast majority of files containing personal data originated from two units of the University of Warsaw – the Faculty of Modern Languages and the Faculty of Applied Social Sciences and Resocialisation. Some of these (approx. 650 GB) consisted of audiovisual materials of a public nature.

At the same time, part of the collection (approx. 200 GB) contained various types of data, including personal data. Of these, approx. 32,800 files may have contained personal data.

 

The scope of personal data varied and, depending on the case, could include:

• identification data (e.g. name and surname, date of birth, gender, nationality),
• special categories of identification data (e.g. PESEL number, identity document number and series, passport number),
• contact details (e.g. residential address, email address, telephone number, username),
• financial and tax data (e.g. bank account number, data from tax documents),
• employment-related data (e.g. contracts, employment history),
• health data (e.g. information contained in sick notes),
• social security data,
• data contained in electronic correspondence,
• image.

 

The incident may have specifically affected:

• employess at the University of Warsaw,
• students,
• prospective students,
• doctoral candidates,
• former employees and associates,
• and other individuals associated with the university’s activities.

 

At this stage, we cannot definitively confirm whether, and if so, which specific individuals’ data has been affected by the incident. The investigation into the incident is ongoing. Therefore, in the interests of security, we encourage you to read the guidelines below and to follow the latest updates published on the University’s website.

 

Possible consequences

Given the nature of the incident and the scope of the data that may have been affected, there is a high risk of infringement of the rights and freedoms of data subjects. In particular, this risk stems from the possibility of unauthorised use of identification, contact and financial data, as well as other personal information.

 

Potential consequences (depending on the scope of the data) may include:

 

Loss of control over data and privacy

• loss of control over personal data, including not knowing who may use it and for what purpose,
• breach of privacy, including the disclosure of personal data to unauthorised persons,
• further unauthorised dissemination of data, including on the internet.

 

Identity theft and misuse of data

• identity theft or impersonation using identification data (e.g. name and surname, PESEL number, identity document details, contact details),
• creating online accounts (e.g. email, social media) or registering for services using your data,
• using data to conceal identity or carry out unlawful activities.

 

Financial and legal risks

• incurring financial obligations without your knowledge (e.g. loans, hire purchase),
• entering into civil law contracts (e.g. telecommunications services, subscriptions),
• using your data for tax or business purposes (e.g. submitting false declarations, registering a business),
• attempts to fraudulently obtain benefits, compensation or other financial gains,
• the need to clarify official or financial matters with which the person in question has no actual connection.

 

Risks related to public services and health

• unauthorised use of data in public or medical systems (e.g. using PESEL number),
• gaining access to health information or claiming benefits on behalf of another person.

 

Risks related to studies and the academic environment

• unauthorised access to university or educational systems (e.g. data on studies, grades, achievements),
• impersonating students, doctoral candidates or applicants during admissions processes or in communication with the university,
• using data for fraud related to admissions, scholarships or job offers,
• unauthorised use of data in an academic or professional context,
• disclosure of information regarding studies, admissions or professional status.

 

Risks associated with sensitive and professional data

• disclosure of health data,
• disclosure of personnel and financial data (e.g. regarding employment or remuneration),
• infringement of personal rights, including reputation or good name,
• risk of discrimination in the event of disclosure of sensitive data.

 

Operational and long-term risks

• targeted fraud attempts (phishing, SMS, telephone) exploiting your data,
• attempts to extract additional information (e.g. login details or financial data),
• attempts to gain unauthorised access to accounts (email, banking, university systems),
• difficulties in accessing public, financial or educational services,
• receipt of unsolicited information or contact,
• long-term consequences associated with data being in circulation, including its further copying and use by third parties.

 

Remedial measures taken

Upon detecting the incident, we immediately took action to stop unauthorised access, secure the systems and mitigate the impact of the incident.

 

In particular:

• we isolated the compromised systems to prevent further unauthorised access,
• we forced a password reset for all users and updated the components responsible for authentication,
• we implemented additional login security measures,
• we restricted access to selected systems and data to essential users only,
• we carried out a detailed audit of the entire IT environment to detect any traces of unauthorised activity,
• we secured the data and analysed the course of the incident.

 

After implementing these measures, we re-checked the systems — we found no further presence of unauthorised persons.

 

At the same time:

• we reported the incident to the relevant authorities (CERT Polska, CBZC, the President of the Personal Data Protection Office),
• we are cooperating with CERT Polska and CBZC to fully clarify the incident.

In addition, we are strengthening our security measures for the future, including by:

• extending the use of additional login security measures,
• expanding threat detection systems,
• increasing the level of network monitoring and isolation.

 

Recommended measures – what steps you can take yourself

At this stage, it is not certain whether your data has been misused; however, we recommend that you remain particularly vigilant and take steps to minimise the potential impact of this incident.

 

Protecting your identity and financial data

• blocking your PESEL number – this is one of the most effective safeguards against your data being used to incur financial obligations (e.g. loans, credits); this can be done online, via the mObywatel app or at a local authority office,
• monitoring credit activity by setting up an account with credit and business information systems (e.g. BIK, BIG, KRD, ERIF) and enabling alerts for attempts to misuse your data,
• checking the history of enquiries regarding your PESEL number (who verified it and when).

Securing access to accounts and services

• changing passwords for email, online banking, university systems, and other services –passwords should be unique for each account,
• enabling multi-factor authentication where possible,
• checking whether login details have appeared in known data breaches (e.g. via the service: https://bezpiecznedane.gov.pl).

 

Limiting the availability of personal data in the public domain

• reviewing personal information available online and removing any data that is not essential (e.g. telephone numbers, email addresses, home addresses, photographs),
• exercising particular caution when publishing personal information in future.

 

Caution in contacts and communication

• remaining vigilant regarding suspicious emails, text messages and phone calls,
• not sharing personal data or login details with third parties without verification,
• not opening unknown attachments or links, even if the message appears to come from a known institution,
• exercise particular caution with messages concerning financial matters, health, admissions or “urgent actions”.

 

Responding to irregularities

• if you notice any suspicious activity (e.g. attempts to incur debt, unknown logins, unauthorised contracts) — contact the relevant institution (e.g. your bank) immediately,
• report the matter to law enforcement agencies if you suspect data has been misused,
• notify the data controller (the University) of the incident.

 

Additional precautions

• provide only the minimum amount of data necessary to resolve the matter in question,
• consider replacing your identity document if there are grounds for its misuse,
• exercise particular caution in situations where someone refers to your data or attempts to verify it.

 

Formal and administrative matters

• in the event of a breach of privacy, you have the right to pursue civil claims (e.g. for damages or compensation),
• you also have the right to lodge a complaint with the President of the Personal Data Protection Office.

If you become aware of your data being used by an unauthorised person or notice any cause for concern, please report this information as soon as possible and take appropriate action, including contacting the relevant authorities.

 

Where can you find more information?

We encourage you to regularly check the announcements on the University of Warsaw’s main website – https://en.uw.edu.pl/ – and to read the guide “Cyber Hygiene Rules” and other useful publications available at https://www.odo.uw.edu.pl

 

If you have any questions regarding this incident or would like further information on personal data protection, please contact the University of Warsaw’s Data Protection Officer:

Dominik Ferenc – Data Protection Officer; Postal address: Data Protection Officer, University of Warsaw, Krakowskie Przedmieście 26/28, 00-927 Warsaw

email: iod@adm.uw.edu.pl,

telephone number: +48 22 55 22 042

 

We are doing our utmost to ensure that similar incidents do not occur in the future. We will keep you informed of any significant findings related to the incident.

 

We apologise for any inconvenience caused by this situation. We assure you that we attach the utmost importance to the security of your data and are taking every possible measure to protect it effectively in the future.