Cyber Incident Victim: Universitätsmedizin Mainz
Date:
Sep 2022
Location:
Germany
Summary
A cyberattack targeting an IT service provider compromised email log files belonging to Universitätsmedizin Mainz, exposing sender and recipient addresses, subject lines, and timestamps—though no message contents, attachments, or medical data were accessed. The breach affected 280,000 addresses across two datasets covering incoming and outgoing communications over distinct periods. While the hospital's own email systems remained unaffected, stolen metadata elevated risks of phishing and social engineering attacks targeting individuals. The institution notified impacted parties via email, advising vigilance against suspicious requests leveraging the exposed communication patterns. External experts and law enforcement assisted in investigating the incident, which originated from the third-party provider's infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2022, hackers breached an IT service provider used by Universitätsmedizin Mainz, stealing two protocol files containing email metadata from the hospital's communications systems. The stolen data included sender and recipient email addresses, subject lines, and timestamps of messages sent to the hospital between September 1, 2022 and June 6, 2023, as well as outgoing messages from May 6 to June 6, 2023. Approximately 280,000 email addresses were compromised in total. Hospital officials confirmed no medical data, email contents, or attachments were accessed, emphasizing their own email servers remained secure. The attackers subsequently published the stolen data on darknet platforms.
Universitätsmedizin Mainz initiated victim notifications via email in January 2023 after completing a risk assessment with the IT provider, external cybersecurity experts, and law enforcement. Their communications detailed the scope of the breach and warned recipients about heightened risks of phishing attacks and social engineering attempts leveraging the stolen metadata. The hospital's data protection and information security officers determined the exposure warranted proactive alerts despite the absence of sensitive content. Notification efforts faced logistical challenges due to the volume of affected addresses. CEO Professor Ralf Kiesslich publicly acknowledged the incident's impact while maintaining the compromise originated externally. Security guidance focused on verifying sender authenticity and scrutinizing links/attachments in emails referencing previous correspondence.