Knowledge Base

In the aftermath of the cyber-attack, general staff notifications and press releases were issued and briefings were held to advise all of our staff of the attack, the risks of their data having been affected in addition to providing fraud prevention advice. Individual notifications commenced as soon as MTU was in a position to do so.

As we have communicated since the initial period after the attack, this was necessarily going to be a lengthy process. The extraction and analysis of data that was released on the dark web has taken a significant effort working with external specialists. This was a complex process involving the use of e-discovery software to log the categories of personal data that were compromised across, in some instances, various categories of separate files or documents, the categories of individuals affected and to identify, insofar as is possible, any affected individuals. There was a considerable level of due diligence and quality assurance necessary to validate the identity of any affected individuals and take all reasonable steps to categorise and map the various items of personal data identified across the dataset to the relevant individuals.

As all notifications have not yet issued, you may still receive a letter in the coming weeks.

 In some instances, an individual notification is not deemed necessary in light of the nature of the personal data affected by the attack (for example if the data was limited in nature or where the relevant individual was not identifiable from the data affected).

 The general notifications issued to all staff, students and the public by MTU since the Cyber Breach occurred address the data protection notification obligations in cases where an individual notification is not deemed necessary.

Each letter has been tailored to give the recipient a summary of the categories of personal data that have been identified as relating to that individual during the course of the review of the dataset released on the dark web following the attack. As a result, the letters will vary from person to person.

We will issue a further update once all communications have issued.

You should, as a matter of good practice, continue to follow the advice and guidance we first published in February 2023 in response to the cyber-attack. You should be vigilant of any suspicious or unsolicited communications (as you should in the normal course) and not disclose any of your personal data in response to such communications. You should contact your financial institution or other providers directly if you have any concerns about any calls or communications purporting to come from any such providers. 

The National Cyber Security Centre, An Garda Síochána and the Banking and Payments Federation of Ireland have all published guidance to educate the public about how to protect yourself from fraud which are available at  www.bpfi.ie/wp-content/uploads/2020/07/Fraud_Prevention_Guide-1.pdf  and at www.fraudsmart.ie. You should continue to familiarize yourself with this advice.

As per the banking advisory previously communicated (www.bpfi.ie/wp-content/uploads/2020/07/Fraud_Prevention_Guide-1.pdf), there is no advice that this is necessary, but you should continue to remain vigilant of any suspicious or unsolicited communications (as you should in the normal course) and not disclose any of your personal data in response to such communications. You shouldcontact your financial institution or other providers directly if you have any concerns about any calls or communications purporting to come from any such providers.

Cybercrime is commonplace and is becoming increasingly more advanced in nature. Unfortunately, there is always a possibility cyber-attack could happen again, although MTU is doing all we can to ensure adequate protections are in place to help reduce this risk and possibility.

Since the cyber incident in February 2023, MTU has:

•                 Increased and strengthened our information technology infrastructure, systems, platforms, and cyber security protections.

•                 Strengthened our staff cyber security awareness and data protection training.

•                 Strengthened our technology risk management processes.

•                 Increased visibility around external threats and ability to reduce and/or mitigate threats before they have an impact on MTU.

•                 Access to additional information to allow us to make informed cybersecurity decisions.

•                 MTU continues to work with various cyber security organisations to ensure proactive protections against possible future cyber-attacks.

For good governance and cyber security reasons, we cannot go into detail on exactly what cyber security measures MTU currently has implemented. MTU are actively reviewing and regularly improving our technology and cyber security measures.

MTU reported the cyber-attack to the Cybercrime Unit of An Garda Siochána and it is not necessary for any individual to also report this incident to them. However, individuals should contact An Garda Siochana if they believe they have been the victim of a crime.

While we do not perceive any particular risk of credit impersonation based on the information that has been breached, as advised on the Central Credit Register website, you have a right to apply for your credit report at any time, free of charge subject to fair usage (generally once every 12 months).