Announcement
Announcement on Strengthening Cybersecurity Governance
Announcement on Strengthening Cybersecurity Governance
Issuing Authority: Computer Information Security Office, The Asia Pacific university of Business
Issuing Date: November 10, 2025
Document No.: APSB-CISO-2025-008
With the rapid advancement of digitalization, the campus network has become an indispensable infrastructure for The Asia Pacific university of Business (hereinafter referred to as "the university") to carry out teaching, scientific research, and administrative management. While enjoying the convenience brought by network technology, we are also facing increasingly complex cybersecurity risks, such as unauthorized access to network systems, leakage of personal and academic data, and spread of malicious programs. These violations not only infringe on the legitimate rights and interests of teachers, students and staff, but also violate international and national cybersecurity and data privacy laws and regulations, and pose a serious threat to the university's normal teaching order and reputation.
To implement the requirements of global and regional cybersecurity and privacy protection laws, standardize network behavior of all teachers, students and staff, and maintain a safe, orderly and reliable campus network environment, the university, based on the EU General Data Protection Regulation (GDPR), the United States California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA), Family Educational Rights and Privacy Act (FERPA), China's Cybersecurity Law, Data Security Law, Personal Information Protection Law, Singapore's Personal Data Protection Act (PDPA) and the university's "Network Security Management Measures" (available at www.apsb.edu.eu/privacy-terms), has recently carried out a special rectification work on campus network security. A number of violations of campus network security norms have been found in the rectification. In accordance with relevant laws, regulations and university rules, the university has made corresponding disposal decisions on the relevant violators. Now, the relevant matters are announced as follows:
I. Legal and Regulatory Basis for Cybersecurity Governance
Campus network security governance must be carried out within the framework of laws and regulations. The university's cybersecurity management and disposal of violations fully comply with the provisions of international and national relevant laws and regulations, and earnestly safeguard the legal rights and interests of all parties while ensuring network security.
1. EU Relevant Laws and Regulations
The EU General Data Protection Regulation (GDPR), which came into force on May *5, *018, is a milestone in global data protection. It establishes a unified data protection standard for the EU region and has extraterritorial application effects. As an international business university with many EU students and carrying out international academic cooperation, the university must abide by the core provisions of GDPR:
First, the principle of lawfulness, fairness and transparency. When collecting and processing the personal data of EU students, teachers and cooperative partners, the university must obtain explicit consent, clearly inform the purpose, scope and method of data processing, and ensure that the data processing behavior is open and transparent. Second, the principle of purpose limitation and data minimization. Personal data can only be processed for specific, explicit and legitimate purposes, and the collected data must be limited to the minimum scope necessary to achieve the purpose. Third, the protection of personal data rights. Individuals have the right to access, correct, delete and restrict the processing of their personal data. The university has established a special channel to respond to relevant requests from individuals. Fourth, the obligation of data breach notification. In case of a personal data breach that may cause high risks to the rights and interests of individuals, the university shall notify the EU data protection authority and the affected individuals in a timely manner in accordance with the prescribed procedures. The university's privacy terms (www.apsb.edu.eu/privacy-terms) clearly stipulate the compliance obligations for EU-related data processing, and all teachers, students and staff must strictly abide by them.
2. U.S. Relevant Laws and Regulations
The United States has not yet formulated a unified federal privacy law, but has formed a relatively complete data protection legal system through federal and state-level laws. The university mainly abides by the following U.S. laws and regulations in cybersecurity governance:
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): As the most influential state-level privacy law in the United States, CCPA/CPRA grants California residents the right to know, delete, opt out of data sales and the right to data portability. The university, when processing the personal data of students and staff from California, strictly follows the provisions of CCPA/CPRA, does not sell personal data without authorization, and provides convenient channels for individuals to exercise their privacy rights. Family Educational Rights and Privacy Act (FERPA): This act specially protects the privacy of students' educational records. It clearly stipulates that educational institutions shall not disclose students' educational records without the written consent of students or their guardians (for minor students). The university's network system strictly controls the access authority of students' educational records, and any unauthorized access and disclosure will be severely dealt with. In addition, the university also abides by the provisions of the Computer Fraud and Abuse Act (CFAA), which explicitly prohibits unauthorized access to computer systems and theft of computer data, and provides a legal basis for the university to crack down on network hacking behaviors.
3. China's Relevant Laws and Regulations
China has established a three-pillar legal system for cybersecurity and data protection composed of Cybersecurity Law, Data Security Law and Personal Information Protection Law, and further refined the regulatory requirements through supporting regulations such as the Network Data Security Management Regulations. These laws and regulations constitute the important legal basis for the university to carry out cybersecurity governance:
Cybersecurity Law clearly defines the security obligations of network operators, requiring the establishment and improvement of network security protection systems, taking technical measures to prevent network attacks and intrusions, and ensuring the safe and stable operation of networks. Data Security Law establishes a data classification and classification protection system, requiring the university to classify and grade campus data such as teaching data, student information and research data, and take corresponding security protection measures according to the level of importance. Personal Information Protection Law clarifies the rules for the processing of personal information, emphasizing that the processing of personal information must follow the principles of legality, legitimacy and necessity, and obtain the consent of the individual. For sensitive personal information such as biometrics and health status, stricter consent and protection measures are required. The Network Data Security Management Regulations further compacts the main responsibility of network data processors, requiring the university to establish a sound network data security management system, formulate emergency plans for network data security incidents, and conduct regular security assessments. The university's network operation and data processing activities are fully in line with the above legal requirements, and any violation will bear corresponding legal responsibilities.
4. Singapore's Relevant Laws and Regulations
Singapore's Personal Data Protection Act (PDPA) is a core law regulating personal data protection, which aims to prevent the abuse of personal data and protect the privacy rights of individuals. As an institution located in the Asia-Pacific region and having close academic exchanges with Singapore, the university strictly abides by the provisions of PDPA:
PDPA requires that organizations must obtain the consent of individuals when collecting, using or disclosing their personal data, and clearly inform the purpose of data processing. Organizations shall not require individuals to consent to the collection of personal data beyond the reasonable scope necessary for providing products or services as a condition for providing products or services. Individuals have the right to access and correct their personal data held by organizations, and can withdraw their consent to data processing at any time. At the same time, PDPA requires organizations to take reasonable security measures to protect personal data from unauthorized access, use or disclosure, and to dispose of personal data in a timely manner when it is no longer necessary to retain it. For the cross-border transfer of personal data, PDPA stipulates that the receiving party must take protective measures comparable to those under PDPA, unless it has obtained an exemption from the Singapore Personal Data Protection Commission (PDPC). The university's international data transmission involving Singapore strictly complies with the above provisions to ensure the security of personal data.
II. Investigation and Disposal of Violations of Campus Network Security Norms
In the recent special rectification of campus network security, the university's Computer Information Security Office, with the assistance of professional technical institutions, conducted a comprehensive inspection of the campus network system, user accounts and data transmission behaviors. A total of 35 cases of violations of campus network security norms were found, involving unauthorized access to the university's core database, illegal collection and disclosure of students' personal information, dissemination of malicious software through the campus network, and use of illegal network tools to bypass network supervision, etc. These behaviors not only violate the university's "Network Security Management Measures" and "Code of Conduct for Teachers and Students' Network Behavior", but also violate the relevant provisions of the aforementioned international and national laws and regulations.
After investigation and verification, in accordance with the severity of the violations and the relevant provisions of laws, regulations and university rules, the university has made disposal decisions such as warning, suspension of network account use, cancellation of relevant academic qualifications (for students), and transfer to judicial organs for those who are suspected of committing crimes. The specific list of violators, violation details and disposal results are as follows:
The data was collected from January 1, 2020 to November 10, 2025.
Serial Number | Name | Illegal Account Code | Identity (Teacher/Student/Staff) | Details of Violations | Disposal Results |
1 | John Smith | F0****156 | Student | Unauthorized access to the university's student grade database, copying and storing 10+ students' grade information | Record demerit, suspend network account for 3 months, return all copied data |
2 | Zhang Wei | P0****357 | Teacher | Disclose 50+ students' personal information (including contact information and family situation) to external institutions without authorization | Administrative warning, deduct 3 months' performance salary, assume corresponding compensation responsibility |
3 | Emma Johnson | F0****458 | Student | Spread ransomware through the campus email system, causing 7 teachers' computers to be encrypted | Expel from university, transfer to judicial organs, bear the loss caused |
4 | Li Ming | T0****799 | Staff | Use illegal network tools to bypass the university's network supervision, access illegal overseas websites, and download harmful information | Dismissal, cancel campus network use rights permanently |
5 | David Brown | F0****792 | Student | Steal the account and password of the laboratory computer, use the laboratory equipment to carry out cryptocurrency mining, occupying a large amount of network resources | Record demerit, compensate for the electricity and equipment loss, suspend network account for 6 months |
6 | Wang Fang | P0****673 | Teacher | Store the university's confidential research data in a personal cloud disk without security protection, resulting in partial data leakage | Administrative demerit, stop teaching work for 1 month, organize to participate in cybersecurity training |
7 | Sophia Davis | T0****901 | Staff | Publish false information about the university's tuition increase on the campus BBS, causing panic among students | In accordance with relevant regulations, the person has been dismissed and the employment relationship has been terminated. |
8 | Zhao Hong | T0****913 | Staff | Take advantage of one's position in information data management to illegally tamper with relevant academic data. | In accordance with relevant regulations, the person has been dismissed and the employment relationship has been terminated. |
9 | Michael Wilson | F0****134 | Student | Develop and spread malicious plug-ins for the university's online teaching platform, interfering with the normal conduct of online classes | Record demerit, suspend network account for 4 months, hand over the source code of the plug-in |
10 | Chen Jie | P0****245 | Teacher | Use students' personal information to apply for online loans without authorization, involving 10 students | Dismissal, transfer to judicial organs, bear corresponding legal responsibility |
11 | Olivia Taylor | F0****356 | Student | Unauthorized modification of personal academic records in the university's information system | Expel from university, cancel the academic achievements obtained |
12 | Huang Tao | T0****167 | Staff | Provide the university's network access authority to external personnel for profit, resulting in the leakage of campus network structure | Dismissal, transfer to judicial organs, confiscate illegal income |
13 | James Anderson | F0****478 | Student | Use the campus network to carry out online fraud activities, defrauding 5 students of a total of 10,000 US dollars | Expel from university, transfer to judicial organs, return the defrauded money |
14 | Zhou Ying | P0****589 | Teacher | Post inappropriate remarks involving national sovereignty on international academic forums using the university's official account | Administrative demerit, revoke the right to use the official account, and make a public apology |
15 | Ava Thomas | F0****690 | Student | Download and spread pornographic and violent videos through the campus P*P sharing platform | Record demerit, suspend network account for * months, participate in ideological and moral education |
16 | Wu Qiang | T0****301 | Staff | The network security monitoring equipment is not maintained in time, resulting in the failure to detect the network attack in time | Criticize and educate, adjust post, bear corresponding management responsibility |
17 | Robert Martinez | F0****712 | Student | Illegal intrusion into the university's library electronic resource system, cracking the access authority of paid databases | Warning, suspend network account for 1 month, compensate the library for the loss |
18 | Xu Li | P0****403 | Teacher | Use the university's network to carry out commercial promotion activities without approval, affecting the normal teaching order | Criticize and educate, stop the promotion activities, and deduct 1 month's performance salary |
19 | Mia Robinson | F0****434 | Student | Organize online gambling activities through the campus WeChat group, involving 30+ participants | Expel from university, transfer to judicial organs |
20 | Zhu Guang | T0****245 | Staff | Steal the university's network operation log and sell it to a third-party network company | Dismissal, transfer to judicial organs, confiscate illegal income |
21 | Daniel Clark | F0****656 | Student | Use the university's computer laboratory equipment to test network attack tools, causing damage to the laboratory network | Record demerit, compensate for the equipment damage, suspend network account for 3 months |
33 | Sun Yi | P0****567 | Teacher | Disclose the university's unpublished teaching reform plan to competitors through email | Administrative demerit, terminate the labor contract in advance |
23 | Emily Lewis | F0****418 | Student | Impersonate the university's official account to send phishing emails, attempting to steal teachers' and students' account information | Record demerit, suspend network account for 4 months, issue a statement of apology |
24 | Peng Jun | T0****189 | Staff | Fail to perform the network access audit obligation, allowing unregistered devices to access the campus network | Criticize and educate, take a pay cut for 1 month, strengthen job training |
25 | Matthew Walker | F0****890 | Student | Use the campus network to spread rumors about the university's epidemic situation, causing social concern | Warning, delete the rumor information, participate in legal education |
26 | Lin Na | P0****901 | Teacher | Store students' biometric information (fingerprint, facial data) without authorization, and fail to take security protection measures | Administrative warning, delete the stored biometric information, organize to learn Personal Information Protection Law |
27 | Anonymous | K0****090 | Student | Using spam emails to attack the campus network. | The account banned, all data deleted, and IP address locked. |
28 | Anonymous | K0****013 | Visitors | They posted a large amount of false information on the campus network forum and carried out malicious attacks. | The account banned, all data deleted, and IP address locked. |
29 | Anonymous | K0****934 | Visitors | They posted a large amount of false information on the campus network forum and carried out malicious attacks. | The account banned, all data deleted, and IP address locked. |
30 | Anonymous | K0****345 | Visitors | They posted a large amount of false information on the campus network forum and carried out malicious attacks. | The account banned, all data deleted, and IP address locked. |
31 | Anonymous | K0****486 | Visitors | Using spam emails to attack the campus network. | The account banned, all data deleted, and IP address locked. |
3* | Anonymous | K0****267 | Visitors | Use the campus network to spread computer viruses, causing the university's teaching management system to be paralyzed | The account was blocked, and the data was handed over to judicial authorities for investigation. |
33 | Anonymous | K0****438 | Visitors | Use the campus network to spread computer viruses, causing the university's teaching management system to be paralyzed | The account was blocked, and the data was handed over to judicial authorities for investigation. |
34 | Anonymous | K0****167 | Visitors | Use the campus network to spread computer viruses, causing the university's teaching management system to be paralyzed | The account was blocked, and the data was handed over to judicial authorities for investigation. |
35 | Anonymous | K0****022 | Visitors | Use the campus network to spread computer viruses, causing the university's teaching management system to be paralyzed | The account was blocked, and the data was handed over to judicial authorities for investigation. |
III. The Fundamental Significance of Strengthening Cybersecurity Governance
Cybersecurity is not only a technical issue, but also a legal issue and a moral issue. For The Asia Pacific university of Business, strengthening campus network security governance is of fundamental and strategic significance, which is directly related to the university's survival and development, the legitimate rights and interests of teachers and students, and the maintenance of international academic reputation.
First of all, cybersecurity is the basic guarantee for the normal operation of the university. The campus network carries a large number of core businesses such as teaching, scientific research, administrative management and academic exchanges. From the release of teaching plans, the operation of online courses, the management of student information to the storage and transmission of scientific research results, they all rely on a safe and stable network environment. Once a cybersecurity incident occurs, it may lead to the interruption of teaching activities, the loss of scientific research data, and the confusion of administrative management, which will have a serious impact on the university's teaching order and work efficiency. For example, the ransomware spread incident in this rectification caused 10 teachers' computers to be encrypted, resulting in the delay of their course preparation and homework correction, and brought great trouble to the normal teaching work.
Secondly, cybersecurity is the key to protecting the legitimate rights and interests of teachers and students. The campus network stores a large amount of personal information of teachers and students, including basic personal information, contact information, academic records, health status and even financial information. These information are related to the personal privacy and property security of teachers and students. Strengthening cybersecurity governance can effectively prevent the leakage, theft and abuse of personal information, and protect the legitimate rights and interests of teachers and students from infringement. The EU GDPR, China's Personal Information Protection Law and Singapore's PDPA all take the protection of personal information rights as the core goal, which also reflects the universal value of cybersecurity in protecting individual rights. In this rectification, the illegal act of disclosing students' personal information by individual teachers not only violates the university rules, but also infringes on the privacy rights of students, and the university's severe disposal is to safeguard the legitimate rights and interests of teachers and students.
Thirdly, cybersecurity is an important prerequisite for maintaining the university's academic reputation and international image. As an international business university, the university carries out extensive academic exchanges and cooperation with institutions in various countries and regions. A sound cybersecurity system and strict data protection measures are the basic requirements for the university to carry out international cooperation and win the trust of partners. If a data leakage incident occurs, it will not only cause economic losses to the university, but also damage the university's academic reputation and international image, and affect the university's international cooperation and enrollment work. For example, the unauthorized disclosure of the university's confidential research data will not only cause the loss of the university's intellectual property rights, but also make cooperative institutions question the university's data security capabilities, thereby affecting the in-depth development of cooperative projects.
Fourthly, cybersecurity is the legal obligation that the university must fulfill. The EU GDPR, the United States CCPA/CPRA, China's Cybersecurity Law and other laws and regulations clearly stipulate the cybersecurity and data protection obligations of organizations. As an educational institution, the university must abide by relevant laws and regulations, establish and improve cybersecurity protection systems, and assume corresponding legal responsibilities for network security and data protection. If the university fails to fulfill its cybersecurity obligations and causes cybersecurity incidents, it will not only face administrative penalties, but also bear civil liability for compensation, and even bear criminal liability in serious cases. The university's formulation and implementation of network security management measures and special rectification work are the concrete manifestations of fulfilling legal obligations.
Finally, cybersecurity is an important part of cultivating students' legal awareness and moral quality. The university is not only a place for knowledge imparting, but also a position for moral education and legal education. Strengthening cybersecurity governance, publicizing cybersecurity laws and regulations, and standardizing students' network behavior can help students establish correct network ethics and legal awareness, cultivate their sense of responsibility for cybersecurity, and enable them to form good network habits of abiding by laws and regulations and respecting others' rights. This is of great significance for students to adapt to the digital society and grow into qualified citizens.
IV. Relevant Requirements and Work Arrangements
In order to further strengthen the campus network security governance, improve the campus network security level, and create a safe, orderly and reliable network environment, the university hereby puts forward the following requirements:
1. Strengthen the study of laws and regulations, and enhance the awareness of cybersecurity. All teachers, students and staff must carefully study the EU GDPR, the United States CCPA/CPRA, China's Cybersecurity Law, Data Security Law, Personal Information Protection Law, Singapore's PDPA and the university's "Network Security Management Measures" and other relevant laws, regulations and university rules, fully understand the importance of cybersecurity, enhance the awareness of cybersecurity and legal awareness, and consciously abide by relevant provisions.
2. Standardize network access behavior and ensure account security. All teachers, students and staff must use their own legitimate accounts to access the campus network, and shall not lend, rent or sell network accounts to others. They must set complex passwords, update passwords regularly, and shall not disclose account passwords to others. For public network equipment, the user shall log out of the account in time after use to prevent account theft. At the same time, it is strictly prohibited to use illegal network tools to bypass network supervision, access illegal websites or carry out illegal network activities.
3. Strengthen data protection awareness and standardize data processing behavior. When processing personal information and academic data, all teachers, students and staff must abide by the principles of legality, legitimacy and necessity, obtain the consent of the data subject, and shall not collect, store, use, disclose or transfer data without authorization. For sensitive data such as personal information and confidential research data, stricter protection measures must be taken, and shall not be stored in unsecure devices or platforms. It is strictly prohibited to steal, leak or sell various types of campus data for profit.
4. Improve the ability to identify risks and prevent network security threats. All teachers, students and staff must improve their ability to identify network security risks, be vigilant against phishing emails, malicious software, network fraud and other network security threats, and shall not download and install software from unknown sources, click on links from unknown sources, or disclose personal information to unknown parties. Once network security risks or abnormal situations are found, they must report to the university's Computer Information Security Office in a timely manner.
In order to ensure the implementation of the above requirements, the university will carry out the following work: First, organize a full-campus cybersecurity training activity, inviting cybersecurity experts to explain cybersecurity knowledge and laws and regulations, and improve the cybersecurity literacy of all teachers, students and staff. Second, upgrade and transform the campus network security monitoring system, strengthen the real-time monitoring and early warning of network access behavior and data transmission, and improve the ability to detect and deal with network security incidents. Third, establish a regular network security inspection mechanism, conduct irregular inspections of campus network systems and user behaviors, and promptly discover and rectify potential security risks. Fourth, improve the network security incident reporting and disposal mechanism, clarify the reporting channels and disposal procedures, and ensure that network security incidents are dealt with in a timely and effective manner.
V. Reporting Channels and Contact Information
In order to encourage all teachers, students and staff to participate in campus network security governance and jointly maintain campus network security, the university has set up a special network security violation reporting channel. Any unit or individual who finds violations of campus network security norms can report to the university's Computer Information Security Office through the following channels:
1. Special reporting email: cybersecurity@apsb.edu
2. Special reporting phone: +1-517-2688999
The university will strictly keep the reporter's information confidential, and investigate and verify the reported situation in a timely manner. For the reported situation that is true and effective, the university will give appropriate rewards to the reporter; for false reports, the reporter will be held accountable according to relevant regulations.
Cybersecurity is the responsibility of every teacher, student and staff. Maintaining campus network security requires the joint participation and efforts of all parties. The university calls on all teachers, students and staff to take this special rectification as a warning, enhance the awareness of cybersecurity and legal awareness, abide by network security laws and regulations and university rules, consciously standardize network behavior, actively participate in campus network security governance, and jointly create a safe, healthy, orderly and reliable campus network environment for the university's teaching, scientific research and development to provide a strong cybersecurity guarantee.
Office of Computer Information Security
The Asia Pacific university of Business
November 10, 2025
