Print

---

Dear colleagues,

 

on March 18th, information about a data leak at Elsevier was published. User
credentials without encryption could be obtained from the web.

 

 
<https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-e
xposed-online>
https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-ex
posed-online

 

As of now there is no other public statement about this incident. The Data
Protection Officer Helen Gainford ([log in to unmask]
<mailto:[log in to unmask]> ) was the only person with a substantial reply to
my inquiries.

 

Helen Gainford said that all persons affected by this incident will receive
notifications from Elsevier or already have received such. Nevertheless I
asked her for the names of such persons which belong to my institution
because these messages from Elsevier might be considered as advertisement,
SPAM, etc. and thus be ignored.

 

I received the names of the four persons from my institution which were
affected and wrote directly to them. This is a precaution measure other
institution should take as well because other services might be affected as
well if users have the same credentials at other services. 

 

Best regards,

Bernhard Mittermaier

 

 

Von: Data Protection Officer (ELS-OXF) [mailto:[log in to unmask]] 
Gesendet: Freitag, 22. März 2019 17:36
An: Mittermaier, Bernhard <[log in to unmask]
<mailto:[log in to unmask]> >; Sellke, Claudia (ELS-FRK)
<[log in to unmask] <mailto:[log in to unmask]> >; Limberg, Joerg
(ELS-FRK) <[log in to unmask] <mailto:[log in to unmask]> >; Capot,
Chris (ELS-NYC) <[log in to unmask] <mailto:[log in to unmask]> >;
Reller, Tom (ELS-NYC) <[log in to unmask] <mailto:[log in to unmask]>
>; Data Protection Officer (ELS-OXF) <[log in to unmask]
<mailto:[log in to unmask]> >
Cc: FM-dsb <[log in to unmask] <mailto:[log in to unmask]> >
Betreff: RE: Data leak at Elsevier - Forschungszentrum Jülich GmbH

 

Dear Dr. Bernhard Mittermaier

 

Thank you for including me on your email enquiry.

 

Let me stress that Elsevier regrets that this incident occurred and assure
you that we take the security of personal information seriously. 

 

We did become aware that that a subset of user account information,
including login IDs and passwords, were not stored in-line with our standard
practices, which include encryption where appropriate. However, this was not
an Elsevier product-wide or Elsevier company-wide incident.

 

If information of anyone from your institution was potentially accessible in
this incident they would have received, or will soon be receiving,
notification by e-mail. In addition, as a precautionary measure, we have
informed the Dutch data protection authority of this incident.

I am available on Monday 25th March.  If you wish to discuss this further do
let me know and we can arrange a call.

Kind regards,

 

Helen 

 

Helen Gainford 
Data Protection Officer 

Elsevier
Elsevier Limited, The Boulevard, Langford Lane, Oxford, OX5 1GB, United
Kingdom
Email: [log in to unmask] <mailto:[log in to unmask]> 

 

From: Mittermaier, Bernhard <[log in to unmask]
<mailto:[log in to unmask]> > 
Sent: 22 March 2019 13:18
To: Sellke, Claudia (ELS-FRK) <[log in to unmask]
<mailto:[log in to unmask]> >; Limberg, Joerg (ELS-FRK)
<[log in to unmask] <mailto:[log in to unmask]> >;
[log in to unmask] <mailto:[log in to unmask]> ; Capot, Chris (ELS-NYC)
<[log in to unmask] <mailto:[log in to unmask]> >; Reller, Tom (ELS-NYC)
<[log in to unmask] <mailto:[log in to unmask]> >; Data Protection
Officer (ELS-OXF) <[log in to unmask] <mailto:[log in to unmask]> >
Cc: FM-dsb <[log in to unmask] <mailto:[log in to unmask]> >
Subject: Data leak at Elsevier 

 

Dear all,

on March 18th I became aware of a report regarding a data leak at Elsevier.

https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-ex
posed-online

 

On March 19th I approached Claudia Sellke, the Sales Manager responsible for
Forschungszentrum Jülich, at the Elsevier booth at the German Library
Congress and asked for further information. She was not aware of the
incident and on her request I forwarded the said website to herself and to
Jörg Limberg (VP Europe) via Email.

 

Because I still did not get further information, I asked Dr. William Gunn,
Director of Scholarly Communications for Elsevier, on March 20th via Twitter
for more information 

 

 <https://twitter.com/BMittermaier/status/1108465812908752899>
https://twitter.com/BMittermaier/status/1108465812908752899

 

He said that I should ask Christopher Capot, Director of Communications at
Elsevier, and Tom Reller (VP Global Communications).

William Gunn had already included their Twitter account names in his reply
on March 20th, but they did not answer.

 

On the morning of March 21st I asked both of them again some questions

 <https://twitter.com/BMittermaier/status/1108623483372781571>
https://twitter.com/BMittermaier/status/1108623483372781571

 

Later that day I asked if I could expect an answer and if so, when.

 <https://twitter.com/BMittermaier/status/1108749284235771904>
https://twitter.com/BMittermaier/status/1108749284235771904

 

Until now (March 22nd, 1pm GMT) I haven’t received any substantial answer
from any Elsevier representative nor am I aware of a press release from
Elsevier or RELX. This is not acceptable, at least if the report is correct.

 

My initial questions are:

Were passwords available in plain text? 

Should libraries inform their patrons? 

Is there a security risk for customers' networks if patrons use the same
credentials for other services?

 

I include the Data Protection Officers of Elsevier and Forschungszentrum
Jülich in this conversation.

 

Kind regards,

Bernhard Mittermaier

###########################################

 

 

Herzlichen Gruß

Bernhard Mittermaier

###########################################

 

Dr. Bernhard Mittermaier

Forschungszentrum Jülich GmbH

Leiter der Zentralbibliothek / Head of the Central Library

52425 Jülich

Tel  ++49-2461-613013

Fax ++49-2461-616103

 

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt

 


lis-e-resources is a UKSG list - http://www.uksg.org
UKSG groups also available on Facebook and LinkedIn
Follow us on Twitter:  https://twitter.com/UKSG