In the end of December 2021, Strætó was avictim of a hostile cyber-attack from foreign hackers and sensitive data was stolen. Below you can find announcements and newest information about the ongoing investigation.
Information updated on 18 January, 2022.
Announcement for former employees 18. January 2022
This information is intended for former Strætó employees.
Like previously reported, at the end of December, Strætó was a victim of a hostile cyber-attack from foreign hackers who managed to break into Strætó servers and steal data.
TThe attackers have threatened to publish the stolen data if Strætó did not pay a requested fee. According to guidelines from the Icelandic Network Security Team (netöryggissveit Íslands), Strætó will not comply with such demands and there is currently no indication that the attackers have published any data.
Extensive measures have been taken to block the access of the parties in question and limit the impact of the data breach.
With this announcement, Strætó seeks to inform all former employees what categories of personal information may be in jeopardy.
Those are the following information:
- Information about name, ID number, address, e-mail address, telephone number and information about emergency contacts.
- Staff photographs
- Copies of job applications and supporting documents
- Copies of employment contracts
- Copies of payslips and other salary information, ie. amount of wages, account information, information on payments to trade unions and pension funds (7 years back, since the security breach occurred)
- Copies of reprimands, complaints, termination agreements, letters of resignation, etc.,
- Information about criminal records
- Copies of drivers licenses
- Copies of shift schedules
- Copies of time sheets and time reports, ie. presence and absence information, e.g. due to illness or vacation
- Information on sick days (not information on cause of illness)
- Copies of salary analyzes
- Copies of outlays (copy of invoice)
- Copies of employer certificates
- Copies of staff interviews, e.g. on performance and career development
- Copies of communication with the human resources department, as applicable
- Copies of information about communication problems in the workplace, e.g. reports of harassment and violence in the workplace and information on the analysis of such cases and results
- Copies of disputes, incl. through unions and lawyers
- Information on the maintenance of specified employees on specified Strætó vehicles
- A copy of information from the National Registry, ie. information on name, ID number, gender, domicile, citizenship, family number, marital status, citizenship, name and ID number of spouse, name of publication and prohibition
- A copy of information from the system ID register, ie. information on name and publication name, place of residence, citizenship, date of new registration and number of the person in the register. The system also contains information on the ID number of the party requesting the system ID number for the registered person, but such parties may, as the case may be, individuals.
Copies of personal records of employees / former employees that contain the data that the parties in question have stored there
Please note that this is not an exhaustive list, but the above list should cover the vast majority of categories of personal information stored in HR systems and computer drives that the attackers might have copied. Not all categories may not apply to all former Strætó employees.
Special attention is drawn to the attackers’ access to information that is considered sensitive according to the Privacy Act, ie. information on trade union membership, information on sick leave, which may be classified as health information according to the Act, as well as information on criminal records.
There is no indication that the attackers have or will be able to misuse the information and at this stage there is no reason for you to take special measures.
If you have any questions regarding the security breach, we suggest that you contact the Strætó privacy officer (firstname.lastname@example.org).
Announcement from 5. January 2022
Like previously reported, Strætó was a victim of a hostile cyber-attack from foreign hackers who managed to break into Strætó servers and steal data.
The attackers have threatened to publish the data if Strætó does not pay a requested fee. In accordance with the guidelines of the Icelandic Network Security Team (netöryggissveit Íslands), Strætó will not comply with such demands. The Data Protection Authority (Persónuvernd) has been notified of the matter and Strætó is in constant contact with the institution as a result.
An investigation by Advania and the network security company Syndis is still ongoing and extensive measures have been taken to block the access of the parties in question and limit the impact of the data breach. These include blocking access to specified IP numbers and specified access to Strætó’s systems, as well as restarting the passwords of individuals who have access to the systems in question.
The systems that the attackers have gained access to are the following:
- Strætó’s payroll system where there is contact information, account information and salary information for current and former Strætó employees.
- Strætó’s human resources system where there is contact information, employment contracts and other data related to Strætó’s former and current employees.
- Strætó case file where you can find inquiries from the public, contact information of suppliers, partners and contractors, as well as copies data for job applications.
- Strætó network where you can find information about audio recordings of calls that were made 90 days before the cyber-attack.
There is no indication that the attackers have or can misuse this information, but it cannot be ruled out that the data will be made public.
Strætó regrets that this cyber-attack has taken place and is working hard to complete the investigation and further information will appear here on Strætó’s website as the investigation progresses.
It should be noted that Strætó processes personal information as a so-called processor on behalf of other parties, so-called guarantors. Regarding the possible access of the attacker to that information, the responsible parties will notify the parties concerned of such security breach, as appropriate.
Further information on this security breach is provided by Strætó’s privacy representative, Sigurður Már Eggertsson, via the email email@example.com