Cyber Incident Victim: Universität Innsbruck
Date:
Dec 2023
Location:
Austria
Summary
A cyberattack targeted the Universität Innsbruck, resulting in the unauthorized download of approximately 23,000 student records containing sensitive personal information, including names, birthdates, genders, residential addresses, and institutional email addresses. The university initiated countermeasures, notified affected individuals and authorities, and involved law enforcement while withholding specifics about perpetrators or motives for investigative reasons. Students were alerted to heightened phishing risks and instructed to report suspicious activity to the institution's IT department, though no immediate remedial actions were required from them.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 14, 2023, Universität Innsbruck in Austria experienced a cyberattack resulting in the unauthorized download of approximately 23,000 student records. The compromised data included sensitive personal information such as full names, birth dates, residential addresses, gender designations, and institutional email addresses. The university publicly disclosed the breach on December 18, 2023, confirming the theft occurred through unlawful data extraction but did not specify the attack vector or duration of unauthorized access. Law enforcement authorities were immediately notified, and the university implemented undisclosed technical countermeasures described only as "necessary" to contain the breach. No operational disruptions to academic functions were reported following the incident.
The university formally notified all affected students about the data compromise through official communications channels, advising heightened vigilance against potential phishing attempts targeting their stolen email addresses. While stating there was "no immediate action required" from students, the institution directed individuals to report suspicious communications to its Central Informatics Service. The Austrian Data Protection Authority was engaged in accordance with regulatory requirements, though no details regarding its investigative role were provided. Universität Innsbruck maintained that no further information about attacker motivations, identities, or methodologies could be disclosed during the active police investigation. The incident exposed affected individuals to potential secondary attacks leveraging their stolen personal data, with the university emphasizing ongoing coordination between its technical teams and law enforcement agencies.