Cyber Incident Victim: Hochschule für Angewandte Wissenschaften Hamburg

On December 29, 2022, HAW Hamburg detected a cyberattack targeting its information and communications infrastructure. The attackers manually infiltrated decentralized IT systems to gain unauthorized access to the university’s central network, security systems, and storage infrastructure. By exploiting this pathway, they acquired administrative privileges over central data storage systems, enabling them to compromise stored data, encrypt multiple virtualized platforms, and deliberately delete backup files. The incident caused immediate disruptions to critical university services, including HAW email, the EMIL learning platform, myHAW student portal, application management systems, and the Stysis academic administration platform. HAW Hamburg’s IT Service Center (ITSC) initiated emergency response procedures to contain the breach and restore functionality, prioritizing system recovery while acknowledging service interruptions. The university formally reported the incident to the cyber-crime division of the Landeskriminalamt (State Criminal Police Office) and fulfilled legal obligations by notifying the Hamburg Commissioner for Data Protection and Freedom of Information under Article 33 of the GDPR. CERTnord, a regional computer emergency response team, was also engaged for incident coordination. Initial notifications to affected individuals occurred on January 6, 2023, confirming unauthorized data access but providing no evidence of data exfiltration at that stage.

The attack’s consequences escalated on March 5, 2023, when stolen data appeared on darknet platforms, prompting HAW Hamburg to issue Article 34 GDPR notifications to impacted individuals. Forensic analysis revealed the compromised data included personal information, though the university committed to direct postal notifications only for cases presenting high risks to personal rights and freedoms. Recovery efforts extended through 2023, with phased restorations of academic services: by December 2023, student ID cards could be reissued and validated, though semester ticket functionality remained inoperative, necessitating temporary printed replacements. Access to grades via myHAW was progressively reinstated, with students in Public Management, Nursing, Business, and several life sciences departments regaining access by early December 2023, while engineering and computer science departments awaited restoration. The data breach facilitated secondary criminal activities, including fraudulent phone calls impersonating law enforcement agencies like Europol and the BKA, commercial fraud involving illicit purchases using stolen identities, and targeted phishing campaigns. HAW Hamburg advised vigilance, recommending verification of unsolicited communications, immediate police reporting for identity misuse—referencing case file LKA541/1K/0870845/2022—and credit monitoring through agencies like Schufa. IT recovery timelines highlighted persistent operational challenges, including delayed grade submissions by faculty and reliance on manual transcript issuance through Faculty Service Offices for urgent academic needs.