Cyber Incident Victim: Heinrich-Heine-Universität Düsseldorf
Date:
Mar 2024
Location:
Germany
Summary
Attackers compromised Heinrich Heine University Düsseldorf's IT systems using stolen student credentials, gaining access to an e-exam platform and two datasets. The first contained exam questions, answers, evaluations, and names of approximately 15,000 students, while the second exposed names, email addresses, student IDs, majors, and staff affiliations for over 60,000 university members including students, employees, alumni, and guests. No passwords, grades, or additional sensitive personal data were accessed, leaving accounts secure. The breach exploited a vulnerability in the exam system after initial credential theft. The university swiftly blocked compromised accounts, decommissioned the affected system, reported the incident to data protection authorities, and filed a criminal complaint. No evidence indicates data exfiltration or manipulation of grading records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-March 2024, Heinrich Heine University Düsseldorf (HHU) detected a cyberattack targeting its IT systems through specialized intrusion detection systems. Attackers gained initial access by exploiting stolen login credentials belonging to a small number of students, which provided entry to the university's E-exam platform. Through a security vulnerability in this system, the perpetrators escalated their access to two restricted datasets. The first compromised dataset contained academic examination materials including test questions, student answers, evaluations, and names of approximately 15,000 examined students, though it notably excluded final grades. A second dataset exposed user information associated with more than 60,000 university identifiers, encompassing names, email addresses, matriculation numbers, fields of study for students, and organizational affiliations for staff members. This breach affected current students, employees, alumni, and guests with system access credentials.
The university confirmed attackers could not alter examination results because grade-relevant data had been exported immediately after each exam. Forensic analysis found no evidence that perpetrators downloaded data from the systems or accessed account passwords, ensuring compromised credentials couldn't be used to hijack additional accounts. HHU's recently upgraded security systems enabled rapid detection and containment: compromised student accounts were blocked within hours, and the affected E-exam platform was decommissioned the following day. University administrators reported the incident to data protection authorities and filed criminal charges against unknown perpetrators. While stolen personal data poses privacy risks, investigators confirmed it cannot facilitate access to other HHU accounts or systems. The university initiated notifications to affected individuals where feasible, emphasizing that operational continuity of other IT infrastructure remained unaffected by the breach.