Leiden University leaks staff expense records during system migration

Leiden University reports a data leak on January 5, 2026, caused by a misconfiguration during a transition to a new financial and administrative system called BAS-InSite. 

During the migration from its legacy SAP system, staff members who had submitted expense claims over the previous two years were categorized as "creditors" alongside external suppliers.

A configuration choice in the new BAS-InSite portal allowed all university employees to view the supplier database. This configuration choice was intended to promote transparency in procurement, but system listed both commercial vendors and individual staff members because they were marked as creditors. As a result, any employee logged into the system could access the private contact information of their colleagues.

The exposed data includes:

• Full names of staff and faculty
• Home addresses
• Personal telephone numbers
• Expense claim history (as creditor records)

The university's Information Services and Systems Center (ISSC) received notification of the leak at midday and resolved the issue by 14:45 the same day. An internal investigation revealed that 661 staff members had access to the procurement page during the exposure window. Log files confirmed that only 11 individuals had their detail pages viewed, and the university stated there was no evidence of data misuse.

Leiden University reported the breach to the Dutch Data Protection Authority and is now reviewing its testing protocols to ensure that "least privilege" access is maintained during future system updates.