Data protection gap: Q&A

The affected server was storing data of around 9,600 individuals who have participated in communication training or examinations organised by the School of Health Professions. The personal data of participants between 2011 and 2024 are affected. The data was used for the administration of the trainings and the exams.

All those affected by the data leak whom the BFH is able to contact were informed by us via e-mail on 14 May 2024.

If you are unsure whether you participated in communication training or an examination at the BFH School of Health Professions between 2011 and 2024 and suspect that you may also be affected, but have not received any e-mail from us, please write to the following e-mail address: datasupport@bfh.ch

The surname, first name, BFH abbreviation and BFH e-mail address of around 2,600 individuals were accessible. In addition to the above information, the personal contact details of around 3,600 individuals were also made public. For a further 3,400 individuals, only their personal contact details were accessible. Different sets of personal data were made public: telephone numbers, addresses, dates of birth, titles, private e-mail addresses and matriculation numbers.

In some cases, MD5 hashes of passwords were also made public. However, these are not passwords that have been personally generated or allocated, but rather passwords generated automatically by the system. These passwords were never issued to any individuals, were never altered and were never used to log in manually. These passwords were never used and may be regarded as worthless, scrambled data, as it is only possible to log in to BFH using single sign-on technology, i.e. via a secured university login.

If you are one of the individuals for whom exclusively the surname, first name, BFH abbreviation and BFH e-mail address have been made public, we recommend that you monitor your BFH e-mail inbox particularly closely for any attempted phishing. Please forward any suspicious e-mails at any time to servicedesk@bfh.ch if you would like them to be checked.

If you are one of the individuals for whom personal contact details have also been made public, we recommend that you exercise particular caution when using the channels concerned in order to check for any attempted phishing or suspicious contacts. Please likewise forward any suspicious e-mails at any time to servicedesk@bfh.ch if you would like them to be checked.

We informed the affected persons by e-mail on 14 May 2024.

However, we were unable to do so for those individuals for whom only a BFH e-mail address was indicated, which has in the meantime been deactivated. It has not been possible to inform these individuals. We have decided not to carry out any further investigations in order to establish their contact information as we have classified the risk of any threat associated with the disclosure of exclusively surnames and first names as being low.

Please write to the following e-mail address if you have any further questions: datasupport@bfh.ch

Our investigations have established that around 9,600 individuals have been affected by the data leak.

Access to the data was blocked as soon as the data protection gap was discovered. The entire application has been reviewed by both internal and external experts to identify any security risks and system integrity has been reinstated.

In addition, we reported the incident to our cantonal data protection supervisory authority within 96 hours and agreed on the further course of action, including in particular the voluntary notification of affected persons.

An error was introduced during the initial configuration of the new server when migrating data to a new server in September 2022. This was not noticed until now.  

Ensuring the security of our data is of the utmost priority for the Bern University of Applied Sciences. Considerable efforts have been made in recent years to guarantee data security: 

  • On 11 July 2023 the BFH adopted a so called “ISDP management system”. This sets a standard for handling data and information. It contains all of the requirements that must be complied with in order to protect personal data and to ensure information security. The concept is currently being implemented across the BFH as a whole.  

  • All employees must now complete comprehensive awareness training (phishing simulations) as well as training in how to recognise risks. This started in September 2023. 

  • All information relating to information security and data protection is available on the Intranet (MyBFH). In addition, an “ISDP Coordinator” has been appointed for each department since 2023. These officials raise awareness within individual departments concerning data protection issues and provide support – alongside the centrally based Chief Information Officer (CISO) and data protection officials – in the event of any questions.