EASY application accessible again
No datasets downloaded with breached account data
Placementdate: 1 August 2024. Revision date: 14 August 2024.
The online archiving system EASY is accessible again since 31 July. As a precaution, the system was out of service for a short time after a data breach was detected. The cause of the data breach has since been established and it is clear that no datasets were downloaded with the breached data. As a result, EASY can be used safely again.
What should users of EASY do themselves?
To regain access to EASY, it is necessary to create a new password.
It is also necessary to create a new password to access the DANS Data Stations because as a precaution, all passwords in the DANS Data Stations were reset on August 9, 2024. Creating a new password to access the Data Stations is therefore also necessary if you have already done so before August 9th. Exception: if a so-called ‘federated account’ via SURFconext, Google or GitHub is used for the Data Stations, a new password is not required.
Users who use the same password for other applications and websites are strongly advised to change the password there too. In addition, be extra alert to suspicious e-mails.
What happened?
Personal data from EASY accounts fell into the hands of a third party. Although passwords are stored encrypted, it cannot be ruled out that they could be decrypted.
We can now report that there have been no downloads from EASY and the DANS Data Stations of non-public datasets containing the breached account credentials. These are non-public datasets for which permission from the owner is required to download the data. We can draw this conclusion after careful analysis, including a double-check of the use of datasets in EASY and the DANS Data Stations.
What has been done?
The cause of the data breach has been found and we have taken the necessary measures. EASY can be used securely again.
Immediately after the data breach was detected, we blocked access to EASY and reset passwords for both EASY and the DANS Data Stations as a precautionary measure. We also investigated whether leaked account data had been used to download non-public datasets.
In addition, the data breach was reported to the Personal Data Authority. We notified users of EASY and the Data Stations personally.
What is EASY?
EASY is DANS’s former online archiving system for storing and reusing research data. It contains datasets drawn from various fields of study and disciplines, including the humanities, health sciences, social and behavioural sciences, oral history and spatial sciences. The successors to EASY are the DANS Data Stations.
What data is part of the current data breach?
Personal data in accounts for EASY at the time of the breach are involved in the current data breach.
Which account details are registered with DANS?
Exactly what information is collected depends on what information users have provided in their accounts. In any case, it concerns the required fields: email address, initials, surname and address (street, postcode, town). The organisation to which the user is affiliated is provided often, although not mandatory. You can check which data is (or may be) part of your account in this detailed overview added to the DANS privacy statement.
Are accounts that have not been used for a long time also part of the data breach?
Yes, all accounts for EASY are part of the breach. There is no term attached to the maintenance of the account because the use of DANS services is in principle intended for a longer term. For this reason, accounts are not deleted, even if they have not been used for a long time.
However, the data breach is a reason for DANS to evaluate the current procedures and improve them where possible.
If account deletion has been requested, is that data part of the breach?
Users are always free to request to have accounts deleted. In some cases, deletion is not possible (see below). In those cases where this was possible, account data has been deleted in the past and the breach does not affect that data.
When will account data not be deleted?
There are two situations in which DANS cannot delete accounts because they are an integral part of the DANS services:
- If accounts have been used to deposit one or more datasets with DANS, they cannot be deleted. A deposit agreement (formerly a licence agreement) is concluded between a depositor and DANS, in which it is agreed that DANS will retain the account data.
- When accounts were used to download datasets that are not publicly accessible. In that case, DANS has an agreement with the depositing party to register the account of the person downloading this data. It is important for the depositing party to ensure that the EASY General Terms and Conditions of Use and the DANS license have been used when downloading. In addition, there may be reason to approach users of data about the data, for example when the use has to be discontinued for legal reasons.
What can I do to protect my data?
Secure your account well with a strong password.
Where can I go if I have more questions?
Please e-mail your questions to .