Cyber Incident Victim: Unfallkasse Thüringen
Date:
Jan 2022
Location:
Germany
Summary
The Unfallkasse Thüringen experienced a ransomware attack resulting in complete server encryption, prompting immediate notification to data protection authorities and initiation of legal measures. The organization engaged a qualified APT-Response provider to restore operations, a process anticipated to last several weeks, though the full impact remains unclear. Potential compromise of social data is under investigation, with affected individuals to be contacted if necessary. Current communications are limited to postal mail and telephone, with possible service delays due to high inquiry volumes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 4, 2022, Unfallkasse Thüringen (UKT), a German social accident insurance provider, suffered a ransomware attack that compromised its entire server infrastructure. Attackers successfully encrypted all organizational servers, rendering systems inoperable and forcing an immediate disruption of normal business operations. UKT promptly notified relevant data protection authorities and supervisory bodies about the incident, while also initiating legal measures to pursue criminal prosecution against the perpetrators. The organization engaged a specialized APT-Response service provider qualified under §3 of Germany's Federal Office for Information Security (BSI) Act to assist with recovery efforts. This cybersecurity firm worked alongside UKT's internal teams to restore operational capabilities through complete rebuilding of information technology systems, a process projected to continue until early February 2022. At the time of reporting, UKT could not quantify the full extent of damage caused by the encryption attack or definitively determine whether sensitive social insurance data had been exfiltrated. The organization committed to directly contacting affected individuals should subsequent investigations reveal compromised personal information related to insurance claims or beneficiary records.
The cyberattack severely impacted UKT's customer service channels and internal operations, restricting public communication exclusively to postal mail and a single telephone hotline (03621 777 222). Service availability experienced significant degradation due to overwhelming call volumes overwhelming the reduced capacity, with UKT publicly acknowledging unavoidable delays in response times. While forensic analysis continued, restoration of digital systems remained the primary operational focus, with no interim technological workarounds implemented for online services. The organization maintained transparency regarding the anticipated month-long recovery timeline while refraining from speculating about potential data breach scenarios or attributing responsibility to specific threat actors. Business continuity measures prioritized core insurance functions through alternative manual processes where feasible, though the complete server encryption necessitated comprehensive system reconstruction rather than partial remediation efforts.