Cyber Incident Victim: SoftProject GmbH

On or around July 1, 2023, the Softproject GmbH, a provider of BiPRO services based in Ettlingen, Baden-Württemberg, fell victim to a significant cybersecurity incident. The company, which according to its website counted fifteen insurers among its clients, experienced a ransomware attack targeting its own data center. The attack was executed using the malicious software known as "CryTox." This incident highlights a growing trend where not only insurers but also their service providers, particularly those in the software sector, are increasingly becoming targets for cybercriminals. In response to the attack, Softproject initiated a forensic investigation to determine the full scope and impact of the breach. According to a company spokesperson, the preliminary findings from these forensic examinations indicated no evidence of a data exfiltration, suggesting that sensitive information was not stolen during the event. However, the ransomware was successful in encrypting a portion of the company's application landscape, which directly impaired its operational capabilities and service delivery.

The immediate operational impact of the encryption was a deliberate and precautionary response from Softproject’s management. The company’s BiPRO On-Premises Services were confirmed to be unaffected by the attack. Nevertheless, upon discovering the ransomware incident, Softproject proactively took its Software as a Service (SaaS) solutions offline. This decisive action was taken to contain the threat and prevent any potential lateral movement or further damage to its systems. As a direct consequence of taking these SaaS solutions offline, disruptions occurred in the BiPRO services that facilitate interactions between insurance brokers and insurers. These services are critical for the daily operations of the insurance industry, enabling functions such as document transmission through broker management programs. The preemptive shutdown, while necessary for security, resulted in a temporary loss of availability for these essential communication and data exchange channels.

The service disruption had a tangible effect on the wider insurance ecosystem that relies on Softproject's infrastructure. Reports indicated that the BiPRO services of at least two insurers were temporarily unreachable, confirming the downstream impact on Softproject's client base. The company declined to specify the exact number of users or name the particular insurers that were concretely affected by the outage. This disruption underscored the interconnected nature of modern digital services and how an attack on a single service provider can create a ripple effect, impairing business operations for multiple downstream organizations and their customers. Softproject communicated that it was in continuous dialogue with all its clients throughout the incident, working to keep them informed of the situation and the efforts being made to restore full functionality. The primary objective stated by the company was to return the services to full operational status in a timely manner.

To manage the response and recovery from the attack, Softproject engaged with an external expert team from Corporate Trust Business Risk & Crisis Management GmbH. This collaboration was aimed at leveraging specialized knowledge in handling such cybersecurity crises. The engagement involved not only addressing the immediate technical challenges of decrypting systems and restoring services but also a broader strategic review of the company's security posture. As part of this comprehensive response, Softproject announced its intention to develop a detailed catalog of measures. This planned catalog is designed to enhance the company's future ability to detect similar attacks more quickly and to strengthen the protection of its entire application landscape against such threats, thereby improving its resilience.

In adherence to legal and regulatory obligations, Softproject promptly reported the incident to the relevant authorities. The company filed a report with the Central Contact Point for Cybercrime (ZAK) at the Baden-Württemberg State Office of Criminal Investigation (LKA). Furthermore, the incident was reported to the State Data Protection Officer. These actions demonstrate the company's compliance with mandatory breach notification protocols and its cooperation with official investigations into the criminal act. The reporting to data protection authorities is a standard requirement, particularly when there is a potential risk to personal data, even though the initial forensic investigation had found no evidence of data theft at that stage. The engagement with law enforcement also signifies the serious nature of the ransomware attack and the intent to pursue legal action against the perpetrators. The incident serves as a case study in the critical importance of robust cybersecurity measures for service providers within essential industry supply chains and the complex challenge of balancing immediate containment actions with the need to maintain continuous service availability for clients.