Interview “We Mustn’t Turn our University into a Fortress”

2 February 2026

Prof. Heuveline, what would have happened if you and your team had not noticed the attack so quickly?

Heuveline: Then the university would have been paralyzed – and I mean completely. Probably this situation would still prevail now. In some cases, other universities were out of action for months. Fortunately, we immediately took a number of steps to force the hackers out of our systems. We then noted that, in reaction to the counter-measures, the hackers attempted further – and sometimes more intensive – attacks via different channels. That was highly professional and extremely dangerous. Those behind them were no beginners. We have already averted a number of attacks in the past – but never of this quality.

How were the hackers able to access the university network?

Heuveline: I can’t say anything definite about this attack since investigations are still ongoing. But cyberattacks are always multilayered. They are not started by one particular email that someone clicks on carelessly. It is much more subtle. Hackers start discreetly. They gain a foothold in the network in a corner somewhere. From there they look around and seize upon any vulnerability. You have to imagine it like guerilla warfare. Such attacks sometimes take months to prepare.

How come Heidelberg University got off so lightly?

Heuveline: We were certainly lucky but I also have a very good team. We assessed the first signs correctly and recognized the danger.

What was the hackers’ goal?

Heuveline: Such attacks mostly aim to encode data, and to paralyze and blackmail the institution.

Was data stolen?

Heuveline: Yes. Email addresses, names and coded password details, so-called hashes. We assume that no research data or other data was stolen.

Do those affected have to react?

Heuveline: No, because we directly called on all university members to change their passwords since the hackers would certainly have been able to decode the stolen password details after a while. So that was absolutely necessary. However, the effort was immense. We’re talking about 60,000 accounts. At URZ we had to actively support around 20 percent of the persons affected in changing their passwords. Another step was that university services and websites were only reachable via VPN or the university network – and in some cases still are. In order to use VPN, you need a Uni-ID and two-factor authentication. That does not give absolute protection but is still a distinct obstacle for hackers.

Why is it taking so long for all websites to be reachable again without restrictions?

Heuveline: Two conditions have to be met for a service or a webpage to go back online: first, competences must be clear. We have to know what institution a server belongs to and who is responsible. The second condition is security. In future we are not going to accept any servers that the vulnerability check assesses as highly critical. Meanwhile we have released over 170 services again. We still have 30 to 40 cases to finalize. It is a very complex process but it is also a contribution to our security in the future. We will now conduct such a review on a regular basis.

When can university members access their emails again without VPN?

Heuveline: I’m aware that the present email access is annoying and a burden for many, particularly on mobile devices. That’s naturally not going to last, but it was a necessary step. So please bear with us. It’s of course my wish – as a user, too – that we can return to normality. If that should not be possible in the near future, we will at least implement solutions that are more user friendly.

Science and research institutions are regarded as especially popular targets for attacks by cyber criminals. Why is that?

Heuveline: First, we have a valuable asset – our data. A university thrives on innovation and is interesting through that alone. The other factor is our structure. Universities are open institutions – and we want to stay that way. We mustn’t make the mistake of turning our university into a fortress. That would place massive burdens on research and cooperation. So we take risks that others don’t have – and that makes us more vulnerable to hacker attacks.

You say we must learn from the attack. What does that mean in practice?

Heuveline: One message is very important to me. We have to accept that we will be attacked time and again – and the quality of the attacks is rising. We won’t always be able to counter them. For that reason we must become more resilient. We are not measured by whether we ward off all attacks. We are measured by how we handle them. We’ll also stumble at some stage. We have to learn to get up again quickly. It shouldn’t take us weeks to be able to act normally again. That is the mission for me.

How can we get to that point?

Heuveline: We have to prepare the whole university better. It’s a matter of mindset. Security topics are not IT topics, they’re topics for the organization, the processes, the individuals. It’s a question of understanding what measures are necessary, and when. And it calls for cohesion and trust inside our institution. In addition, we need regular practice in dealing with cyberattacks, like the fire brigade carries out as a normal part of our daily lives.

Does resilience also mean that researchers should save their data better – doubly and triply – to have backup?

Heuveline: No, the topic of security should not dominate our real work, which is research and teaching. Scientists and scholars want to do research. And when they save data it is our job as the Computing Centre to ensure that the data is safe. We have an excellent infrastructure for that in Heidelberg. Whatever is saved in heiBOX or in our data centers is secured at several points, independently of each other.

What can individual members of the university do otherwise to improve security?

Heuveline: It sounds banal but for me the most important thing is that everyone remembers their own password and it is sufficiently long and complex. And the setup within the institutes and departments has to be clarified. In an emergency it must be absolutely clear who is responsible for what account. In addition, everyone should activate two-factor authentication and watch out for phishing emails.

Besides cooperation and understanding: What do you as URZ need to improve the security and resilience of IT infrastructure?

Heuveline: When we talk about good protection we are naturally also talking about resources. If we want to conduct regular practice, which I consider essential, we will need staff for that. But that doesn’t just apply to the university. In Europe we are investing too little in digitalization and digital security as a whole. We have to change that. In addition, we should push the bureaucracy aside for once and be pragmatic. It isn’t a matter of throwing our standards overboard. But if we want to survive in international competition we have to become more agile – and also take a shortcut more often to get ahead.