ICT, Organisation
Printing through Webprint no longer possible
Between 13 May and 18 September 2024, a vulnerability in Webprint (one of the printing options at Leiden University) meant unauthorised persons could view other users’ print jobs without logging in. This was through another application – webprint-epg – and involved entering the exact username or student number in a webprint-epg URL. This could be done from the time the print job was submitted until one hour after. The vulnerability was discovered on 18 September, after a staff member had reported this, and webprint-epg was taken offline.
Has my data or print data been misused?
The ISSC’s Security Operations department thinks it unlikely that print or other data was misused because access could only be gained to the print application in the space of an hour and unauthorised persons also needed a user name or student number. The department has reached this conclusion having requested log files from the Webprint supplier. These files do not give any indications of the vulnerability being misused. The vulnerability existed longer than the log files go back, so it can not be said with 100% certainty that misuse was not made of the vulnerability through Webprint.
How could this incident happen and what action has been taken?
The vulnerability arose through an incorrect configuration caused by human error. We regret that this happened. After discovering the vulnerability the Security Operations department took the following action:
- Webprint-epg was taken offline on 18 September;
- Log files were requested from the supplier and carefully examined by Security Operations;
- Following the incident, the ISSC has tightened up its procedures for testing configuration changes;
- Leiden University reported the incident to the Dutch Data Protection Authority;
- Various printing options were considered and the decision was made to use Papercut as the only alternative;
- The Webprint environment is no longer available for printing and has been replaced by Papercut.
Use Papercut to print
Leiden University has chosen Papercut as an alternative to Webprint. You can use it to print on a device of your choice.
Topping up your print credit
From now on, you can only use the Webprint environment to view your print credit. You can no longer print with Webprint but can continue to top up your credit as you were used to.
Questions?
If you have any questions about the incident, please contact the Privacy Office at privacy@bb.leidenuniv.nl.
Report incidents immediately
Accidentally sent a CV to the wrong email address or left your laptop on the train? An innocent mistake can cause a data breach or security incident. If we act fast, we can minimise the damage to your data and that of the university. Immediately report a potential incident to the ISSC Help Desk.