Over 200,000 files containing sensitive personal information have been leaked following the University of Warsaw cyberattack that targeted the institution’s digital systems. The attack, which resulted in the publication of the stolen data on the darknet in mid-April 2026, has raised significant concerns about the university's cybersecurity protocols.

In response to the breach, the University of Warsaw took immediate action, isolating affected systems and working closely with relevant authorities to assess the scope of the incident. Rector Alojzy Z. Nowak commented, “Immediately after detecting the incident, the University undertook a series of actions aimed at limiting its impact and securing the IT environment. These included isolating affected systems, terminating unauthorized access, enforcing password resets for all users, strengthening authentication mechanisms, and conducting a comprehensive security review of the infrastructure.”

How the University of Warsaw Cyberattack Unfolded 

The cyberattack unfolded over several months, with attackers gaining access to the university's systems using valid login credentials. These credentials were likely obtained through malware that infected a user’s device, allowing the attackers to quietly exfiltrate large amounts of data over time. The stolen data was eventually posted on the darknet on the night of April 15, 2026, in an 850-gigabyte data dump.

The breach was initially detected on February 9, 2026, during a routine security scan, triggered by global ransomware threats. At first, it was believed that the stolen data had not left the university’s infrastructure. However, subsequent investigation revealed that a significant portion had already been leaked online.

In response to our inquiry, the university clarified: “At this stage, the investigation is ongoing, and no definitive attribution has been publicly confirmed. The incident involved unauthorized access using valid credentials that had likely been previously compromised, most probably through malware on a user’s device.”

What Data Was Exposed? 

The leaked files, which total over 200,000 documents, include a broad range of sensitive information. A large portion of the data came from the Faculty of Applied Social Sciences and Resocialization, as well as the Faculty of Neophilology. The breach exposed approximately 650 GB of publicly accessible audiovisual materials, along with 200 GB of sensitive personal data.

Among the types of personal data exposed were:

• Identification details: Full names, birthdates, gender, nationality, PESEL numbers, and identity document numbers (e.g., passport numbers).
• Contact information: Home addresses, phone numbers, email addresses, and usernames.
• Financial and tax information: Bank account numbers and tax records.
• Employment data: Employment contracts and career histories.
• Health records: Information from medical certificates, including sick leave records.

The university has acknowledged that it’s still too early to definitively determine which individuals' data has been impacted. In an official statement, they noted, “Given the nature of the incident, it is not yet possible to conclusively determine which specific individuals’ data may have been impacted; therefore, we encourage all members of the academic community to follow the recommended guidance and monitor further updates.”

Official Response and Security Measures 

Following the breach, the university has worked diligently to mitigate further damage. In addition to isolating the affected systems, the university has collaborated with Poland’s Central Bureau for Combating Cybercrime (CBZC) and CERT Polska to investigate the incident and fortify its cybersecurity defenses.

“We remain committed to fully clarifying the circumstances of this incident and to continuously improving the protection of personal data,” Rector Nowak stated. The university also emphasized its ongoing efforts to enhance security measures, including expanding advanced authentication methods, increasing network monitoring, and further segmenting IT infrastructure to reduce exposure to future risks.

Moreover, the university has published a detailed communication, following GDPR guidelines, to inform affected individuals about the breach and provide recommendations on how they can protect themselves. “Affected individuals are being informed through an official public communication available on the University’s website,” the statement said. “These include, among others, monitoring financial activity, securing personal data (e.g., PESEL number), changing passwords, enabling multi-factor authentication, and remaining vigilant against phishing or fraud attempts.”

Consequences of the Warsaw University Data Leak 

The leaked data presents a serious risk to those affected. The exposure of personal identification details, financial information, and health records could lead to a range of harmful outcomes, including: 

• Identity theft: Cybercriminals could use the stolen data to impersonate individuals, open accounts in their names, or conduct fraudulent transactions.  
• Financial fraud: With access to sensitive financial information, attackers may attempt to take out loans, make unauthorized purchases, or commit tax fraud.  
• Health and privacy violations: Unauthorized access to medical records could lead to misuse of health-related information for fraud or exploitation.  

Moreover, the data leak also carries legal and operational risks, such as wrongful use of personal data in official systems or academic environments. University applicants could face fraudulent claims or be targeted by scams related to university admissions or scholarship offers. 

Preventive Actions and Recommendations 

While the university has taken immediate steps to isolate the affected systems and enhance its security infrastructure, there are additional measures individuals can take to protect themselves from potential fallout: 

• Monitor financial and credit activity: Individuals should check their credit reports for any suspicious activity and set up alerts for new credit inquiries.  
• Change passwords and use multi-factor authentication: Affected individuals should update their passwords for email, bank accounts, and university systems, ensuring they use strong, unique passwords for each service.  
• Be cautious of phishing attempts: The exposure of personal data may lead to targeted phishing attacks. Individuals should remain vigilant when receiving unsolicited messages, particularly those related to banking or health services.

Hackers targeted Poland’s National Centre for Nuclear Research, but security systems detected and blocked the attack before any damage.

The National Centre for Nuclear Research in Poland reported a cyberattack on its IT infrastructure. The intrusion attempt was quickly detected by security systems, allowing staff to secure the targeted systems and prevent any operational impact.

“The National Centre for Nuclear Research announces that an attempted cyberattack on the Institute’s IT infrastructure recently occurred.” reads the press release published by the NCBJ. “Thanks to the rapid and effective actions of our security systems and procedures, as well as the rapid response of our teams, the attack was thwarted, and the integrity of the systems was not compromised.”

The National Centre for Nuclear Research (NCBJ) is Poland’s leading nuclear science institute. It conducts research in nuclear energy, physics, and technology and operates the MARIA reactor, one of Europe’s most powerful research reactors. The MARIA reactor at the National Centre for Nuclear Research is a high-flux research reactor used for scientific experiments, nuclear physics research, isotope production, and training. It plays a central role in Poland’s nuclear research and serves both domestic and international scientific projects.

According to Director Jakub Kupecki, no production, research, or operational activities were disrupted and the MARIA reactor continues to operate safely at full power.

The institute is coordinating its response with several government bodies, including NASK-PIB, the Ministry of Digital Affairs, Deputy Prime Minister Krzysztof Gawkowski, and the Ministry of Energy to ensure the highest level of protection for critical infrastructure.

“The situation is being continuously monitored by the appropriate services and security teams. The National Centre for Nuclear Research remains fully prepared to respond to any attempts to breach the country’s digital security and critical infrastructure.” concludes the press release. “We emphasize that the National Centre for Nuclear Research is operating without disruptions and the MARIA nuclear reactor is safe.”

According to Reuters, the Polish government is investigating signs that Iran may be behind the attack, while cautioning that these indicators could be a deliberate misdirection to conceal the attackers’ true origin.

Minister for Digital Affairs ​Krzysztof Gawkowski revealed that the attack took place “in the ​past few days”.

“The attack may not have been on a huge ​scale, but there was an attempt to break through the security that was stopped. Appropriate services are already working”, Gawkowski said.

“The first identifications of the entry vectors, i.e. those places ​from which (the centre) was attacked, are related to Iran,” he said. “When there is ‌final ⁠information and the services will check it, we will verify it, but there are many indications that it took place on the territory of Iran.”

In January, ESET linked a late-2025 cyberattack on Poland’s energy system to the Russia-linked Sandworm APT. The Russia-linked APT group launched what was described as the largest cyber attack on Poland’s power grid in Dec 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Poland)

A coordinated cyberattack that targeted Poland's energy infrastructure in late December 2025 has prompted cybersecurity agencies to issue urgent warnings to critical national infrastructure operators on both sides of the Atlantic. Read more in my article on the Fortra blog.