Cyber Incident Victim: EKZ
Date:
Apr 2022
Location:
Germany
Summary
A cyberattack targeting a library service provider disrupted digital lending platforms, causing system failures that deleted copy-protected media files and impaired access to audiobooks, videos, and eBooks—some displaying only partial content. The incident rendered several websites and user forums inaccessible, though core lending systems remained operational. After restoration efforts, most services resumed with lingering delays in order processing and invoicing. The LockBit ransomware gang claimed responsibility, later leaking stolen data from the attack. Affected users were advised to delete and redownload compromised titles while the provider worked with law enforcement and cybersecurity specialists to recover.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 18, 2022, service provider EKZ suffered a cyberattack that disrupted operations for its library lending platform Onleihe and other affiliated systems. The attack rendered specific EKZ infrastructure unreachable, including the primary websites ekz.de, ekz.at, and ekz.fr, along with subsidiary platforms divibib.com, the divibib user forum, the divibib Pentaho statistics page, catalog data services, and ID-Delivery systems. This outage caused immediate service degradation for Onleihe, an app facilitating digital media lending for European libraries and institutions, including universities and the Goethe-Institut. The incident triggered system failures that deleted copy-protected files from Onleihe’s platform, requiring re-encryption and re-uploading of affected media. Users encountered functional limitations: audio and video files produced streaming errors, while compromised e-books displayed only the first chapter or fragmented content samples. Onleihe published a list of impacted titles and instructed users to delete and redownload affected files. Concurrently, the platform’s user forums became inaccessible due to unresolved technical issues indirectly linked to the attack.
EKZ initiated criminal proceedings with law enforcement and enlisted third-party cybersecurity specialists to assist recovery efforts while its internal IT team evaluated backup integrity. The LockBit 2.0 ransomware group claimed responsibility for the attack and later published allegedly stolen EKZ data on its leak site on April 28, 2022, though EKZ’s public communications did not explicitly reference ransomware. By April 29, EKZ reported restoring most systems, though invoice generation and order processing remained delayed due to offline shop equipment. Library user-facing systems operated by subsidiary divibib—excluding eAudio and eVideo lending—along with LMSCloud and email applications, were confirmed unaffected throughout the incident. The disruption impacted approximately 40% of Germany’s eBook consumption market served by Onleihe, though full restoration timelines for re-encrypting deleted files were not specified. EKZ maintained operational continuity for core lending functions while managing residual technical and logistical challenges stemming from the attack.