Cyber Incident Victim: City of Nuremberg
Date:
Dec 2022
Location:
Germany
Summary
A phishing attack compromised login credentials from 16 teacher and student accounts across nine schools in Nuremberg, Bavaria, Germany, with the stolen data offered for sale on the Darknet. The breach affected Office 365 accounts, enabling access to communication tools like Teams and Microsoft applications such as Word and Excel. As a precaution, nearly 10,000 accounts were temporarily disabled while IT specialists investigated suspicious activity; most were reactivated shortly afterward following security reviews. Mandatory 12-character password resets were enforced for all Office accounts to bolster protection. The incident, detected during routine monitoring rather than a direct hack, did not impact city administration systems due to segregated IT infrastructure. Authorities including regional school offices and state agencies were notified, with investigations ongoing to determine the full scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early December 2022, nine schools in Nuremberg, Bavaria, experienced a cybersecurity incident involving compromised Office 365 accounts. Security experts discovered during a routine investigation that login credentials (usernames and passwords) for 16 teacher and student accounts had been listed for sale on the Darknet. The affected accounts provided access to Microsoft Teams for internal communication and videoconferencing, along with associated applications like Word and Excel through cloud storage. Though initially reported as impacting nine schools, subsequent analysis revealed eleven affected institutions—including Realschulen, vocational schools, and Gymnasien. As a precautionary measure, authorities temporarily disabled nearly 10,000 accounts across the school network. Notification protocols were activated immediately, with alerts sent to the impacted schools, the State School Office, and ministerial supervisors at the Government of Middle Franconia. The municipal administration's systems remained unaffected due to their physical separation from school IT infrastructure, as confirmed by Nuremberg’s School Commissioner Cornelia Trinkl.
IT specialists conducted intensive forensic examinations throughout the weekend following the discovery, focusing on identifying additional compromised accounts. By December 12, 2022, officials determined most suspended accounts showed no signs of compromise and began reactivating them to minimize educational disruptions. Only a small subset remained under investigation for potential phishing links. Concurrently, administrators enforced a mandatory password reset policy requiring all Office 365 users to adopt new 12-character credentials for enhanced security. Authorities clarified that the incident stemmed from credential harvesting via phishing rather than a direct system breach, with no evidence suggesting ongoing unauthorized access at the time of containment. The final count of definitively compromised accounts remained pending further investigation, though the prompt response prevented broader operational impacts beyond temporary account lockouts and password resets.