Cyber Incident Victim: Bavarian State Government
Date:
Dec 2022
Location:
Germany
Summary
A phishing attack compromised credentials for 16 teacher and student accounts across nine schools within the Bavarian State Government's jurisdiction, with stolen credentials appearing on the darknet. As a precaution, nearly 10,000 accounts were temporarily suspended pending investigation, disrupting school operations. IT specialists identified and reactivated most accounts after verification, while enforcing mandatory 12-character password resets for Office 365 accounts to enhance security. The attack targeted cloud-accessible Microsoft applications like Teams, Word, and Excel, though no direct system breach occurred—the incident was detected during routine monitoring. Eleven schools were confirmed affected, with further investigations ongoing to determine the full scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2022, nine schools in Nuremberg, Germany, experienced a cybersecurity incident involving compromised Office 365 accounts. Security experts discovered during a routine investigation that login credentials for 16 teacher and student accounts had been listed for sale on the Darknet. The exposed credentials included usernames and passwords tied to the schools' IT systems, specifically affecting Microsoft Office 365 services. This suite provided access to communication tools like Teams for chat and video conferencing, along with productivity applications such as Word and Excel, including cloud storage functionality. As a precautionary measure, authorities disabled nearly 10,000 user accounts across the affected institutions to prevent potential unauthorized access. Notification procedures were activated immediately, with alerts sent to the impacted schools, the State School Office, and ministerial advisors at the Government of Middle Franconia. The city administration's systems remained unaffected due to their physical separation from school IT infrastructure, as confirmed by Nuremberg's School Commissioner Cornelia Trinkl.
IT specialists conducted intensive investigations throughout the weekend following the discovery to identify suspicious accounts. Their analysis expanded the scope to eleven schools, including Realschulen, vocational schools, and Gymnasien, with additional accounts remaining under review. By December 12, 2022, officials determined most disabled accounts showed no signs of compromise and began reactivating them to restore normal educational operations. As a security enhancement, mandatory password resets were enforced for all Office accounts, requiring new 12-character credentials meeting strengthened complexity standards. Authorities emphasized the incident stemmed from credential harvesting rather than a direct system breach, with the full extent of compromised accounts still under investigation at the time of reporting. No operational disruptions or data misuse beyond the initial credential exposure were confirmed in the available information.