Cyber Incident Victim: Kantonsschule Hottingen
Date:
May 2022
Location:
Switzerland
Summary
A cyberattack targeted Kantonsschule Hottingen shortly before final exams, with attackers stealing access credentials and breaching protected IT system areas. The Zurich-based institution responded by recreating certain exams as a precaution, though no evidence indicated exam questions were compromised. Investigations revealed the attack originated via a foreign network node, though perpetrator details remain unknown. Following the incident, the school implemented two-factor authentication and collaborated with cybersecurity specialists on preventive measures to contain further risks. While stolen data included limited access credentials and specific information, stored data on affected systems reportedly remained intact. Normal school operations and exams proceeded without interruption despite the breach, with a criminal complaint filed against the attackers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-May 2022, shortly before the scheduled Matura (final high school) examinations at Kantonsschule Hottingen in Zurich, unidentified hackers breached the school's IT systems. The attackers stole login credentials, gaining unauthorized access to protected areas of the network. School rector Daniel Zahno confirmed the intrusion, stating that according to their investigation, attackers exfiltrated individual access credentials and limited information. The breach originated from a foreign network node, though investigators could not determine the perpetrators' physical location due to this routing. As a precautionary measure, certain Matura exams had to be recreated despite no evidence suggesting exam questions had been compromised. The school immediately filed a criminal complaint and engaged cybersecurity specialists to conduct a comprehensive forensic investigation. Students were promptly instructed to reset all school-related passwords. While investigators identified the credential theft methodology, Zahno declined to disclose specific technical vulnerabilities citing ongoing law enforcement proceedings. School operations continued uninterrupted throughout the incident response.
The attack occurred against a backdrop of increasing cyber incidents targeting Zurich's institutions, with cantonal police statistics showing a rise from 555 to 815 hacking, phishing, and malware cases between 2020-2021. Zurich's Education Directorate acknowledged heightened attack frequency across all sectors, including education. Kantonsschule Hottingen implemented two-factor authentication post-incident, requiring PIN verification for system access. Cybersecurity experts collaborated with the school to deploy preventive measures isolating compromised systems, with preliminary findings indicating no corruption or destruction of stored data. Dominika Blonski, Zurich's Data Protection Officer, highlighted systemic vulnerabilities in schools: large user bases with varying security awareness, mixing of personal devices with school networks, and inadequate role-based access controls despite storing sensitive psychological and medical student records. The Matura examinations proceeded as scheduled following these interventions, with Zahno confirming successful exam commencement four days post-disclosure.