On 17 December 2025, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a fine of €175,000 on Arnhem and Nijmegen University of Applied Sciences (HAN) for insufficient protection of personal data. This decision follows a large-scale data breach in 2021, in which a hacker exploited a vulnerability in a web form to gain access to a database containing sensitive information of students and staff. The hacker demanded ransom, but HAN did not comply. Ultimately, among other data, names, addresses, passwords (with thousands unencrypted), social security numbers, and even medical data were exfiltrated.
The AP’s investigation shows that HAN violated Article 32 of the GDPR on multiple points. The security measures were not aligned with the risks associated with processing large amounts of (sensitive) personal data. For example, access management was insufficient: a user account on the database server had unlimited rights, so a vulnerability in a single application provided access to all data. Logging and monitoring of server access were also inadequate, allowing earlier SQL injection attacks to go unnoticed. Additionally, passwords were stored either unencrypted or insufficiently encrypted.
HAN acknowledged the shortcomings and, following the incident, implemented additional security measures. When determining the amount of the fine, the Dutch Data Protection Authority (AP) took into account HAN’s efforts to mitigate the impact on affected individuals and strengthen digital resilience. HAN decided not to appeal the fine and is committed to helping other organizations learn from this case, including through awareness initiatives and by organizing a conference on information security.
This case underscores the importance of a risk-based approach to information security, as prescribed not only by the GDPR but also by the Cybersecurity Act, which is expected to come into effect in May 2026. Organizations should:
The fine imposed on HAN is a clear warning: even institutions with existing security measures can face substantial penalties if these measures are insufficient for current risks. For organizations in education, healthcare, and other sectors processing large amounts of personal data, it is crucial to comply not only with the letter but also the spirit of the GDPR. Proactive investment in cybersecurity and privacy is not a luxury—it is a necessity.
Want to learn more about legal obligations regarding information security? Feel free to contact our team of IT, Privacy & Cybersecurity specialists.
Would you like to receive a monthly overview of updates and blogs in your inbox? Sign up for our newsletter!
