Cyber Incident Victim: OSG Hengelo

On the morning of Tuesday, May 23, 2023, OSG Hengelo discovered that all ICT systems across its school locations had ceased functioning. The scholengemeenschap, comprising Bataafs Lyceum, ’t Genseler voor Praktijkonderwijs, C.T. Stork College, and Montessori College Twente, experienced a complete failure of its telephones, Wi-Fi, and network. The initial assumption pointed towards a major power outage that had occurred during the preceding Pentecost weekend as the likely cause of the widespread disruption. This initial belief delayed the immediate identification of a cyber incident. Further investigation, however, revealed that a power outage was not responsible for the system failures, leading the organization to recognize it was facing a significant cybersecurity event. The incident was identified as a ransomware attack that had taken place on or around that Tuesday.

The primary impact of the attack was the encryption of the scholengemeenschap's servers. This action by the threat actor rendered the school unable to access any data stored on those compromised systems. The encryption crippled core administrative and educational functions. As a result, the school lost all telephone capabilities, Wi-Fi connectivity, and network access. This total loss of ICT infrastructure had an immediate and substantial impact on the approximately 2500 students and staff across the four schools. The inability to access the servers meant that routine operational tasks, such as retrieving digital late slips for students, became impossible, as all such data was stored on the now-inaccessible servers.

In response to the discovery, OSG Hengelo initiated an investigation and engaged IT experts to manage the incident. The school's board stated that it was doing everything possible to minimize the impact on employees and students. A key response action was the official reporting of the ransomware attack to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), as required by data breach notification regulations. This reporting acknowledged the potential compromise of personal data. The investigation into the cause of the attack and its full scope was stated to be ongoing a full week after the incident occurred, indicating the complexity of the forensic analysis required.

The herstelwerkzaamheden, or recovery efforts, were also underway but progressed slowly. By May 30, one week post-incident, the schools had managed to restore telephone service, making them reachable by phone again. However, critical services like Wi-Fi and printers remained non-operational. The lack of Wi-Fi had a pronounced effect on the educational process, particularly for students at the Montessori College Twente who relied on iPads for their schoolwork. Without a network connection, they could not work online or access digital resources. The school communicated to these students that their internet connection would not be restored until the following week at the earliest, meaning they faced over two weeks of disrupted online learning. Furthermore, these students could not receive technical support from the ICT department for their devices, as that department was entirely consumed with the incident response and recovery efforts.

A significant point of uncertainty, which formed a central part of the ongoing investigation, was whether the attackers had exfiltrated data from the encrypted servers. The Autoriteit Persoonsgegevens provided commentary on this common ransomware scenario, stating that when files are found encrypted, it is certain the internet criminal had access to and opened those files. This means the criminal could have viewed, copied, stolen, or manipulated the data within them. Determining whether this theoretical access resulted in actual data theft at OSG Hengelo depended on the forensic analysis of server log files. The investigation was complicated by the fact that these log files could have been manipulated or deleted by the attackers if they were stored on the same infected servers, highlighting a potential security shortcoming. IT specialists generally advise maintaining a separate log server isolated from the regular network to preserve forensic integrity in such events. As of May 30, the school's board, through its representative Arjan Brunger, stated that it was not yet clear which specific data was involved in the attack or if any data had been stolen.

The incident also triggered a political response within the local municipality of Hengelo. Members of the city council became aware of the ransomware attack through media reports. These council members publicly stated that they had not yet been formally informed or briefed by the college of Burgemeester en Wethouders (the executive board of the municipality), specifically by the wethouder (alderman) responsible for Education. This lack of official communication from the municipal executive to the elected council members indicated a delay or breakdown in the flow of information regarding a significant event affecting a large public institution and its constituents, the students and their parents. The council members expressed a desire to be briefed on the attack and its potential consequences for the affected families.

The prolonged outage underscored the school's heavy reliance on its digital infrastructure for both daily administration and pedagogical delivery. The inability to print, access central servers, or use the internet halted many standard procedures and forced a regression to manual workarounds where possible. The incident exposed the vulnerability of the educational sector to cyber threats and the extensive downstream effects a single attack can have on a community of thousands of students, disrupting their learning for a prolonged period. The full restoration of all systems, including the core network and Wi-Fi, remained an ongoing process more than a week after the initial discovery, with a timeline for complete recovery not yet publicly established. The forensic investigation by the engaged IT experts continued its work to establish the root cause of the breach, the extent of data involvement, and to confirm whether any data was exfiltrated by the attackers.