Cyber Incident Victim: Gemeinde Hülben

On the afternoon of Wednesday, June 14, 2023, the municipal administration of Hülben first experienced significant technical problems. These issues manifested as a complete loss of telephonic and electronic mail communication, rendering the town hall unreachable. In immediate response to these disruptions, external IT experts were engaged and initial countermeasures were initiated. The nature of the event was not immediately confirmed, but the severity of the outage prompted swift action. As a precautionary security measure, the entire IT infrastructure of the administration, including computer systems and the telephone exchange, was deliberately powered down. This decisive action was taken to prevent any potential escalation or spread of a suspected cyber incident. The shutdown resulted in a near-total cessation of normal administrative operations, as daily workflows were heavily reliant on access to the central server and connected computers.

By Thursday, June 15, 2023, cybersecurity experts confirmed the initial suspicions, officially classifying the event as a cybersecurity incident. This confirmation triggered a more formalized and expansive response protocol. The municipality had already filed a report with the Central Cybercrime Contact Point (ZAC) of the Baden-Württemberg police, and this engagement intensified following the official confirmation. The Esslingen Criminal Police Directorate assumed lead responsibility for the criminal investigation, with the Tübingen public prosecutor's office serving as the competent judicial authority. Parallel to the law enforcement response, Hülben activated its support network. The community's IT service provider, Komm.ONE, and the Cybersecurity Agency of Baden-Württemberg (CSBW) were brought in to work on identifying the root cause, implementing remediation, and conducting a forensic examination of the compromised systems. The CSBW demonstrated an rapid response capability, dispatching a Mobile Incident Response Team (MIRT) to Hülben on the same day the incident was discovered, Wednesday, June 14.

The operational impact on the municipality was severe and protracted. The town hall remained closed for the foreseeable future. For citizens, this meant the cancellation of all appointments booked through the online scheduling system for the subsequent two-week period; new appointments within that timeframe could not be made. The administration's ability to process routine tasks was severely hampered due to the inability to access critical systems and data. However, facilities outside the town hall, such as the public works department (Bauhof), school, cafeteria, and childcare services, continued to operate with nearly no restrictions, and their staff remained reachable. To address absolute emergencies, the neighboring municipality of Grabenstetten provided support, allowing some essential services to be offered through a temporary contact number and email address, though citizens were advised against transmitting sensitive personal data through these channels. An initial assessment indicated that the IT systems would remain offline and unavailable until at least June 22, 2023, with no definitive timeline for a full return to normal operations.

A critical aspect of the forensic investigation focused on determining whether a data exfiltration had occurred. Initial statements from the municipality indicated that the ongoing intensive forensic analyses had not yet yielded a final conclusion on whether data had been stolen or what specific areas of the network might have been accessed. However, a subsequent update confirmed that a data breach had indeed taken place as a result of the cybersecurity incident. The meticulous process of reviewing and analyzing the scope of the impacted data and identifying the specific types of data involved was still ongoing at the time of the latest report. The municipality committed to communicating further details and notifying affected individuals should the investigation determine that personal or sensitive data was compromised. Relevant data protection authorities, including the State Commissioner for Data Protection and Information Security and the municipal data protection officer for Hülben, were formally informed of the incident as part of regulatory compliance.

Throughout the event, no ransom demand was received by the municipality. The investigative focus remained on understanding the attack methodology and identifying the perpetrators, though officials declined to provide specific details citing the ongoing criminal proceedings. The response effort was characterized by a collaborative approach involving multiple entities working under high pressure. The municipality publicly expressed gratitude for the comprehensive support received at all hours from its IT service provider Komm.ONE, the Cybersecurity Agency Baden-Württemberg (CSBW), the neighboring community of Grabenstetten, and the police. The recovery process involved not just the restoration of systems but also a reassembly of the IT infrastructure with a planned increase in security standards to fortify against future threats. The incident represented a significant disruption to public services, underscoring the vulnerability of municipal IT systems and the complex, multi-faceted response required to address a serious cyber attack.