Cyber Incident Victim: Amtliche Schulverwaltung (ASV)
Date:
Oct 2022
Location:
Germany
Summary
A ransomware attack targeted servers hosting the Amtliche Schulverwaltung (ASV) school administration system at the Medienzentrum München-Land, encrypting data including student and staff names, addresses, and operational records like class schedules. The attack compromised connected backup storage, rendering 55 schools in München and 20 in Berchtesgadener Land unable to access ASV. Immediate containment measures severed server and internet connections, with new systems deployed for damage assessment. While the Medienzentrum's isolated network design prevented compromise of broader county administration systems, affected schools were provided alternative ASV solutions and potential data restoration paths via recent anonymized backups submitted to Bavaria's education ministry. Authorities and data protection officials were notified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 20, 2022, a ransomware attack compromised servers at the Medienzentrum München-Land (Munich-Land Media Center), specifically targeting systems hosting the Amtliche Schulverwaltung (ASV), Bavaria’s official school administration platform. Attackers encrypted data stored on these servers, rendering it inaccessible. The intrusion was detected within minutes, prompting immediate disconnection of all server-to-server and internet links to contain the breach. Despite rapid response, the encryption process completed, affecting databases containing names, addresses, and operational records (e.g., class schedules) for 55 schools in Munich-Land district and 20 schools in Berchtesgadener Land district. Connected backup storage media, attached to the compromised server during the attack, were also destroyed, eliminating immediate recovery options. The ASV platform became fully inaccessible to schools, though regular teaching operations continued unaffected.
The Medienzentrum initiated server replacements immediately after containment to assess damage and restore functionality. Schools were notified of the incident on the following Monday morning and offered alternative ASV hosting options, including support for deploying local servers or engaging third-party providers. Crucially, the attack remained confined to ASV-hosted servers due to network segmentation isolating Medienzentrum systems from the broader Landkreis München (Munich County) administration infrastructure, which remained uncompromised. Affected schools could potentially recover data from anonymized backups submitted to Bavaria’s Ministry of Education during routine October audits, minimizing reconstruction efforts to institutions lacking recent backups. The Bavarian Data Protection Authority was formally notified, and investigators confirmed that while attackers applied additional encryption to pre-encrypted server data, no evidence suggested unauthorized data exfiltration. Landkreis München reiterated its multi-layered security framework’s role in limiting the breach’s scope and announced plans to review existing safeguards for potential enhancements.