Cyber Incident Victim: Hessische Hochschule für öffentliches Management und Sicherheit (HöMS)
Date:
Feb 2024
Location:
Germany
Summary
A cyberattack targeted the old network infrastructure of the Hessische Hochschule für öffentliches Management und Sicherheit, potentially compromising personal data dating back over a decade, including names, addresses, contact details, images, license plates, and possibly tax numbers, banking information, and health records such as medical certificates and vaccination data. The breach affected students, former employees, lecturers, and business partners, with risks encompassing privacy violations, identity theft, social engineering, and phishing exploitation due to exfiltrated communication details. Criminal charges were filed, and investigations by law enforcement and prosecutors remain ongoing, while the institution notified potentially impacted individuals under GDPR obligations and established a dedicated contact channel for inquiries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between February 8 and February 13, 2024, the Hessische Hochschule für öffentliches Management und Sicherheit (HöMS), also known as the Hochschule für Polizei und Verwaltung (HfPV), experienced a cyberattack targeting its legacy "old HfPV network." Initial forensic analysis conducted by the Hessian State Criminal Police Office (HLKA) confirmed the incident involved potential unauthorized data exfiltration, prompting the institution to issue a formal notification under Article 34 of the General Data Protection Regulation (GDPR). The compromised network housed personal data dating back to at least 2010, with the investigation unable to definitively rule out data theft. Affected individuals included current and former students from the university’s administration and police departments, former HfPV employees, contracted lecturers, business partners, and other associated individuals.
The scope of potentially exposed data varied by victim category but consistently included names, residential addresses, email addresses, photographs, telephone numbers, and vehicle license plate information. Investigators also acknowledged the possibility that more sensitive information, such as tax identification numbers, bank account details, and health-related records—including medical certificates and vaccination data—may have been accessed. The university filed a criminal complaint, and the public prosecutor’s office continues to examine the incident. HöMS/HfPV emphasized heightened risks to affected individuals, including privacy violations, identity theft, social engineering, and phishing attacks leveraging the stolen communications data. The institution warned that existing data blocking or suppression orders might be circumvented using the exfiltrated information. A dedicated hotline and email address were established for inquiries, with the university expressing regret for the incident’s disruptions while urging vigilance among those potentially impacted.