"Despite the hectic situation, Maastricht University continued to communicate, allowing institutions to arm themselves in a timely manner. In doing so, they have done the sector a great service."
SURF Security and Privacy Award 2021 for Maastricht University
The prize, which amounts to 2,500 euros, was awarded during the online edition of SURFcert, SCIPR, and SCIRT's annual Security and Privacy Conference. Michiel Borgers, CIO of Maastricht University accepted the award. The cheque reads 100,000 μBTC, a reference to the ransom paid by the university in Bitcoin.
From the moment it became clear that the university had been hacked, Maastricht University immediately contacted SURFcert and shared the Indicators of Compromise (IoCs), among other things. SURFcert shared the IoCs with other institutions so that they could specifically check whether they too had been compromised by this ransomware. Six weeks after the hack, Maastricht University organised a symposium about the lessons learned. In the symposium, they openly shared their experience and knowledge about this hack. The symposium could be followed by everyone via a livestream. Additionally, the university shared knowledge and (technical) experiences via various other forums.
The most important message of the symposium was the need to make the sector more resilient to cybercrime by working together even more. One of the ideas on how to do that was to set up a sector-wide Security Operations Centre (SOC) with 24/7 monitoring and logging. Michiel Borgers chaired the steering committee on behalf of the universities. This steering committee launched SURFsoc on 7 January 2021, one year after the incident.
About the SURF Security and Privacy Award
The SURF Security and Privacy Award is granted annually to a person, initiative, or idea that contributes to an Internet that is as open, accessible, privacy-friendly, and reliable as possible. An internet where researchers, students and teachers can do their work in complete safety. The winner of the award must use the money to further improve security and/or privacy in the sector.