Cyber Incident Victim: Heiltherme Bad Waltersdorf GmbH & Co. KG
Date:
Sep 2022
Location:
Austria
Summary
A cyberattack targeted a thermal spa facility in Bad Waltersdorf, involving data encryption and a cryptocurrency ransom demand. The incident began when employees lost computer access, with systems fully compromised by the following day. Attackers initiated contact shortly after the breach and formalized their financial demands within 24 hours. While operations continued normally, guest payment systems using chip wristbands became nonfunctional. Insurance negotiators and law enforcement specialists engaged with the perpetrators, though the intrusion vector and scope of potential data theft remained unclear at initial reporting. Email services were restored approximately two days after the attack's detection. The perpetrators employed methods consistent with a professionally planned intrusion, mirroring techniques used in a recent nearby municipal breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 11, 2022, Heiltherme Bad Waltersdorf GmbH & Co. KG experienced a cyberattack that disrupted its operations. The incident began early Sunday morning when employees discovered they could no longer access their computer systems. As the day progressed, it became evident that the entire network had been compromised by attackers who encrypted organizational data. By Sunday, the perpetrators initiated contact with the thermal spa, followed by a formal ransom demand issued on Monday. The demand specified payment in cryptocurrency, though the exact amount was not disclosed publicly. Therme Bad Waltersdorf CEO Gernot Deutsch characterized the incident as a "long-prepared, professional attack," noting similarities to a separate ransomware incident targeting the municipality of Feldbach the prior week. Despite the system compromise, the facility maintained normal guest operations with one critical exception: chip-enabled wristbands used for cashless payments within the spa's gastronomy services became non-functional, requiring alternative payment methods.
The organization activated its incident response protocol involving multiple stakeholders. Insurance representatives assumed negotiation responsibilities with the attackers, while specialists from the criminal police and external IT forensic teams investigated the breach. Technical recovery efforts achieved partial success by Tuesday afternoon when email services resumed functionality. However, two critical aspects remained undetermined during the initial response phase: the specific attack vector exploited by the threat actors and the full scope of potentially exfiltrated data. Operational continuity measures allowed the spa to maintain guest services throughout the incident, though the payment system disruption represented an ongoing logistical challenge. Coordination occurred between spa management and Feldbach municipal officials due to the tactical parallels between the two geographically proximate cyberattacks.