Cyber Incident Victim: Greece's Online Examination Platform

On or around May 29, 2023, the Greek national high school examination platform, known as the Subject Bank, was subjected to a significant cyberattack. The incident was described by the country’s Education Ministry as one of the most extensive cyberattacks in Greece’s history. The attack was technically identified as a distributed denial-of-service (DDoS) attack, a method which involves flooding a server with a high volume of internet traffic from numerous sources simultaneously. This coordinated influx of traffic was intended to overwhelm the platform's infrastructure and render it inaccessible to its legitimate users.

The primary impact of this DDoS attack was the widespread disruption of end-of-year high school examinations across Greece. The online examination platform is a critical national system designed to establish a uniform exam standard for students throughout the country. As a result of the system outage caused by the intense traffic flood, students were left waiting in their classrooms for hours for the exams to begin. The disruption and significant delays affected the scheduled administration of the tests over a two-day period. Despite the severity of the attack, the system was not fully disabled, allowing examinations to eventually proceed after considerable delays.

The Greek government responded to the incident by characterizing the attacks as highly intense and indicative of strong motivation and technical expertise on the part of the attackers. Official statements from the press office of Prime Minister Kyriakos Mitsotakis asserted that the attacks were successfully defended against by the relevant services within the ministries involved. The statement further emphasized that the authorities were prepared to mobilize any necessary resources to promptly tackle future cyberattacks of a similar nature, highlighting a commitment to securing national infrastructure.

In addition to the technical defense mounted by government IT services, a formal legal and investigative response was initiated. A prosecutor from Greece's Supreme Court ordered a full judicial investigation into the incident. This investigation was to be conducted with assistance and expertise from the national police’s cybercrime division. The objective of this judicial probe was to ascertain the facts surrounding the attack and to identify those responsible.

At the time of reporting, no individual or group had claimed responsibility for the DDoS attack. Furthermore, no ransom demand was reported in connection with the incident, distinguishing it from financially motivated cybercrime such as ransomware. The motivation behind the attack remained unclear. The incident was notable for its scale and target, as it disrupted a centralized nationwide examination system rather than targeting individual schools or local districts. This contrasts with other contemporary attacks on educational institutions, such as a ransomware attack on a private school in Virginia that forced a postponement of finals, or breaches at universities in Tennessee and Georgia where sensitive personal data was stolen. The attack on Greece's platform represented a direct challenge to a core function of the state's educational administration, causing systemic delay and inconvenience on a national scale. The full extent of any secondary consequences, such as potential rescheduling or grading delays, was not detailed in the immediate aftermath. The event underscored the vulnerability of critical public sector digital services to disruptive cyber threats and prompted a significant reaffirmation of the government's focus on cybersecurity readiness.