Dear colleagues, on March 18th, information about a data leak at Elsevier was published. User credentials without encryption could be obtained from the web. <https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-e xposed-online> https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-ex posed-online As of now there is no other public statement about this incident. The Data Protection Officer Helen Gainford ([log in to unmask] <mailto:[log in to unmask]> ) was the only person with a substantial reply to my inquiries. Helen Gainford said that all persons affected by this incident will receive notifications from Elsevier or already have received such. Nevertheless I asked her for the names of such persons which belong to my institution because these messages from Elsevier might be considered as advertisement, SPAM, etc. and thus be ignored. I received the names of the four persons from my institution which were affected and wrote directly to them. This is a precaution measure other institution should take as well because other services might be affected as well if users have the same credentials at other services. Best regards, Bernhard Mittermaier Von: Data Protection Officer (ELS-OXF) [mailto:[log in to unmask]] Gesendet: Freitag, 22. März 2019 17:36 An: Mittermaier, Bernhard <[log in to unmask] <mailto:[log in to unmask]> >; Sellke, Claudia (ELS-FRK) <[log in to unmask] <mailto:[log in to unmask]> >; Limberg, Joerg (ELS-FRK) <[log in to unmask] <mailto:[log in to unmask]> >; Capot, Chris (ELS-NYC) <[log in to unmask] <mailto:[log in to unmask]> >; Reller, Tom (ELS-NYC) <[log in to unmask] <mailto:[log in to unmask]> >; Data Protection Officer (ELS-OXF) <[log in to unmask] <mailto:[log in to unmask]> > Cc: FM-dsb <[log in to unmask] <mailto:[log in to unmask]> > Betreff: RE: Data leak at Elsevier - Forschungszentrum Jülich GmbH Dear Dr. Bernhard Mittermaier Thank you for including me on your email enquiry. Let me stress that Elsevier regrets that this incident occurred and assure you that we take the security of personal information seriously. We did become aware that that a subset of user account information, including login IDs and passwords, were not stored in-line with our standard practices, which include encryption where appropriate. However, this was not an Elsevier product-wide or Elsevier company-wide incident. If information of anyone from your institution was potentially accessible in this incident they would have received, or will soon be receiving, notification by e-mail. In addition, as a precautionary measure, we have informed the Dutch data protection authority of this incident. I am available on Monday 25th March. If you wish to discuss this further do let me know and we can arrange a call. Kind regards, Helen Helen Gainford Data Protection Officer Elsevier Elsevier Limited, The Boulevard, Langford Lane, Oxford, OX5 1GB, United Kingdom Email: [log in to unmask] <mailto:[log in to unmask]> From: Mittermaier, Bernhard <[log in to unmask] <mailto:[log in to unmask]> > Sent: 22 March 2019 13:18 To: Sellke, Claudia (ELS-FRK) <[log in to unmask] <mailto:[log in to unmask]> >; Limberg, Joerg (ELS-FRK) <[log in to unmask] <mailto:[log in to unmask]> >; [log in to unmask] <mailto:[log in to unmask]> ; Capot, Chris (ELS-NYC) <[log in to unmask] <mailto:[log in to unmask]> >; Reller, Tom (ELS-NYC) <[log in to unmask] <mailto:[log in to unmask]> >; Data Protection Officer (ELS-OXF) <[log in to unmask] <mailto:[log in to unmask]> > Cc: FM-dsb <[log in to unmask] <mailto:[log in to unmask]> > Subject: Data leak at Elsevier Dear all, on March 18th I became aware of a report regarding a data leak at Elsevier. https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-ex posed-online On March 19th I approached Claudia Sellke, the Sales Manager responsible for Forschungszentrum Jülich, at the Elsevier booth at the German Library Congress and asked for further information. She was not aware of the incident and on her request I forwarded the said website to herself and to Jörg Limberg (VP Europe) via Email. Because I still did not get further information, I asked Dr. William Gunn, Director of Scholarly Communications for Elsevier, on March 20th via Twitter for more information <https://twitter.com/BMittermaier/status/1108465812908752899> https://twitter.com/BMittermaier/status/1108465812908752899 He said that I should ask Christopher Capot, Director of Communications at Elsevier, and Tom Reller (VP Global Communications). William Gunn had already included their Twitter account names in his reply on March 20th, but they did not answer. On the morning of March 21st I asked both of them again some questions <https://twitter.com/BMittermaier/status/1108623483372781571> https://twitter.com/BMittermaier/status/1108623483372781571 Later that day I asked if I could expect an answer and if so, when. <https://twitter.com/BMittermaier/status/1108749284235771904> https://twitter.com/BMittermaier/status/1108749284235771904 Until now (March 22nd, 1pm GMT) I haven’t received any substantial answer from any Elsevier representative nor am I aware of a press release from Elsevier or RELX. This is not acceptable, at least if the report is correct. My initial questions are: Were passwords available in plain text? Should libraries inform their patrons? Is there a security risk for customers' networks if patrons use the same credentials for other services? I include the Data Protection Officers of Elsevier and Forschungszentrum Jülich in this conversation. Kind regards, Bernhard Mittermaier ########################################### Herzlichen Gruß Bernhard Mittermaier ########################################### Dr. Bernhard Mittermaier Forschungszentrum Jülich GmbH Leiter der Zentralbibliothek / Head of the Central Library 52425 Jülich Tel ++49-2461-613013 Fax ++49-2461-616103 Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG