Cyber Incident Victim: Münchner Verlagsgruppe

On or around July 25, 2023, the Münchner Verlagsgruppe, Germany's largest non-fiction book publisher, fell victim to a significant cyberattack. The incident began when employees arrived at work and turned on their personal computers, only to be confronted with a ransom note displayed directly on their screens. The perpetrators of this attack identified themselves using the moniker "Metaencrypter." The message demanded that the publishing house pay a ransom to the criminals. The management of the company, however, immediately adopted a firm stance against capitulating to these demands. The firm's managing director, Matthias Setzler, explicitly confirmed this position, stating, "We should pay a ransom. But we did not do that. We do not negotiate with criminals." In the immediate aftermath of the attack, the operational capacity of the entire company was severely degraded, with Setzler noting that initially, nothing worked at all.

The attack was identified as a ransomware incident, a type of cyberattack where malicious software is used to encrypt or steal data, holding it hostage until a payment is made. In this case, the attackers employed a dual strategy of data encryption and data theft. A forensic assessment of the situation revealed that the majority of the company's data had been deliberately deleted by the hackers, while the remaining data was fully encrypted, rendering it completely inaccessible to the company without the decryption keys held by the attackers. Beyond the encryption, the criminals successfully exfiltrated a significant amount of sensitive information from the publishing group's systems. The stolen data included personal details such as addresses, bank account information including tax identification numbers, and telephone numbers. Furthermore, confidential contracts between the Verlag publishing house and its authors were also taken.

The scale of the data breach was substantial, impacting approximately 5,000 authors associated with the various imprints under the Münchner Verlagsgruppe umbrella. This publishing group, co-founded by Matthias Setzler and Christian Jund in 2004 with the Riva Verlag, has grown to include several other notable publishers: the Finanzbuchverlag (FBV), mvg (which focuses on guidebooks), Lago (fiction), Redline (career and management), and avm (audiobooks). The company has a history of publishing works with or about prominent musicians, athletes, and politicians, including Bettina Wulff, the wife of the former German president, Bayern Munich honorary president Uli Hoeneß, then-national football team coach Hansi Flick, the late singer Karel Gott, rapper Bushido, and actor Mark Keller. Despite this high-profile clientele, the management indicated that the data of these celebrities was likely not compromised. Setzler explained that the Verlag typically does not store data on prominent individuals directly, as contracts are usually negotiated and held with their literary agencies instead.

The potential consequences of the data theft were severe, as stolen data of this nature typically finds its way onto the darknet. The darknet is a hidden segment of the internet notorious for facilitating illegal trade in a wide range of contraband, including sensitive personal information, drugs, and weapons. Once on these illicit marketplaces, the personal and financial details of the affected authors could be sold and used for various fraudulent activities. In response to this grave risk, the leadership of the Münchner Verlagsgruppe took proactive steps to warn all individuals whose data was stored on their systems and was therefore potentially exposed. Setzler and Jund personally signed letters that were sent via post to these affected parties. The correspondence explicitly warned recipients that their identities could be misused maliciously, citing a specific example where money could be fraudulently withdrawn from their bank accounts using the direct debit procedure. The letter urgently advised all recipients to monitor their bank statements regularly for any unauthorized transactions.

From a legal and law enforcement perspective, the company acted swiftly following the discovery of the attack. An official criminal complaint was filed with the central point of contact for cybercrime affecting the economy in Bavaria, which is located at the State Criminal Police Office (Landeskriminalamt - LKA). The subsequent investigation was taken up by specialists from Commissariat 122 at the Munich Police Headquarters. The overall direction of the investigation falls under the purview of the General Public Prosecutor's Office in Bamberg, which oversees the Central Office for Cybercrime in Bavaria (Zentralstelle Cybercrime Bayern). Oberstaatsanwalt Thomas Goger, the deputy head of this central office, provided details on the case, confirming it was being investigated as a ransomware attack. The specific legal grounds for the investigation include suspicion of attempted extortion, computer sabotage, and data alteration.

The context provided by law enforcement officials highlights the pervasive and serious threat that ransomware attacks pose to businesses and public institutions. The Bavarian LKA alone registered 380 such cases in the year 2021, indicating a high frequency of these incidents. However, Oberstaatsanwalt Goger also provided a sobering outlook on the prospects of the investigation and data recovery. He stated that, among the cases pursued by the Bamberg office, no perpetrator had ever been successfully identified. Furthermore, he indicated that in the majority of ransomware incidents, at least some portions of the encrypted data remain permanently lost and unrecoverable, even if a ransom is paid.

The operational and financial impact on the Münchner Verlagsgruppe was profound and multifaceted. The attack necessitated a complete rebuild of the company's compromised IT infrastructure. This involved the replacement of all affected hardware, including every personal computer and laptop within the organization. The entire digital infrastructure also had to be reconstructed from the ground up. Perhaps the most painstaking and costly process was the arduous task of attempting to reconstruct the lost data from backups and other available sources, a process fraught with difficulty given the extent of the deletion and encryption. The financial damage stemming from the attack was immediately significant but could not be precisely quantified in the immediate aftermath. Managing director Matthias Setzler emphasized the ongoing assessment, stating, "The material damage we cannot yet quantify at all." This statement underscores the extensive costs associated with system restoration, data recovery efforts, potential legal fees, and the incalculable impact of operational downtime and reputational harm following the breach of author trust.