40,000 students forced to queue for new passwords after 'severe' cyber attack

Tens of thousands of university students in Germany have been forced to queue up to receive new passwords following a mass-password reset spurned by a recent security incident.

The University of Giessen’s (JLU) 38,000 students are being issued with new passwords in person due to a legal oddity that means they can’t be notified through email, as is conventionally done after a credential reset.

Because the institution is part of the German National Research and Education Network (DFN), the students may only receive their new passwords in person as part of a legal requirement to be members of the body, JLU has confirmed.

Students are also being asked to bring a valid form of ID, and their personalised JLU photocard embedded with a chip to prove their identity. Moreover, the university has released a structured timetable for collection, with users asked to queue up during different time slots throughout this week based on their month of birth.

The password reset was deemed necessary after a suspected cyber attack almost ten days ago knocked JLU’s services offline. The incident was described as ‘severe’ in an open letter penned by the president of JLU Professor Dr Joybrato Mukherjee and required that the university shut down its servers.

JLU was taken offline on Sunday 8 December as a result of the attack, with all email systems and internal networks out of action, and no fixed date as to when all services will be back online.

These actions also meant the entire examination administrative system was taken offline, so students can’t be provided with degree certificates, transcripts or records of any exam certificates until services are restored.

JLU established a crisis management committee, led by the body's president, and has been working with authorities and cyber security experts to establish the extent of the damage and to aid in any ongoing investigations.

More than a thousand USB sticks loaded with anti-virus software are also being distributed en masse to professors, institutes and departments within the university. This is so that individuals can scan JLU's IT systems for any traces of malware.

Computer systems granted a clean bill of health will receive a green sticker, before individuals embark on a second wave of anti-virus scanning, scheduled to take place today.

While the first wave of anti-virus scanning searches for generic virus types, this second wave contains a scan that’s highly specified to the strain of malware that targeted the university.

JLU has had to conuct a scan of its computer systems in two waves because it was initially difficult to integrate the more specific anti-malware scanner into the existing anti-virus software.

However, this has now been achieved, and the second wave will be an all-encompassing anti-virus scan for both generic forms of malware as well as the new strain that targeted JLU.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.