Cyber-attack on
IT systems Cyber-attack on IT systems

At the end of December, the information and communications infrastructure at HAW Hamburg was targeted by hackers. This was determined on 29 December 2022. Based on what we know to date, the hackers used decentralised IT systems to manually work their way  into HAW Hamburg's central IT and security systems via the network. Using this path, they also obtained the administrative rights for the central storage systems and compromised the central data storage. They then used the administrative rights to begin encrypting various virtualised platforms and deleting stored backups.

HAW Hamburg has filed a complaint with the cyber-crime division of the Landeskriminalamt. The Hamburg commissioner for data protection and freedom of information has been notified in compliance with article 33 of the General Data Protection Regulation, as has CERTnord, and the information about those impacted was published on 6 January 2023.

Upon the publication of personal information on the so-called darknet on 5 March 2023, those impacted were again informed pursuant to article 34 of the GDPR. Individuals will be personally notified by post if an analysis of the data indicates a high risk to their personal rights and freedoms.

During the cyber-attack on HAW Hamburg's IT infrastructure, the attackers accessed the university's central IT systems. Since 5 March 2023, we have been aware that data stolen during the attack have been published on the so-called darknet (please see the information provided pursuant to article 34 of the GDPR on 9 March 2023). In some cases criminals use stolen data for fraudulent activities such as phishing mails or to purchase items on the Internet using a fake identity.

We therefore want to ask you once again to be particularly vigilant. In the following, we provide information about common scams and how you should respond:

A.    Phone calls (from an individual or an automated voice) 

Criminals are increasingly pretending to be officers from Europol, Interpol or the Federal Criminal Police Office (BKA). This type of fake call could be connected to the cyber-attack at HAW Hamburg but doesn't necessarily have to be. Please remember: The police and other investigative agencies will never call you or require you to provide personal information via telephone. Nor do other government agencies and banks make such calls. If you follow the instructions, you may unknowingly be redirected to a number charging very high fees. Additionally, the perpetrators may also attempt to obtain additional information from you during the call in order to use it for other criminal activities.

How should you respond? 

1.    Do not follow the instructions, do not become caught up in a conversation and do not provide any information. Note the caller's number and hang up.
2.    Block the number and block any other numbers that have contacted you against your wishes.
3.    You can also submit a complaint about the number to the  Bundesnetzagentur.

B.    Commercial fraud on the Internet

In many cases, stolen personal and address information is also used to commit commercial fraud on the Internet – that is, to purchase items on the Internet in another person's name. The perpetrators order products and have them delivered to a package pick-up station or an alternative address. The invoices or, in some cases, collection letters then go to the unwitting victim of the theft.

How should you respond? 

1. Make a report to the police immediately if your identity has been used fraudulently. In your report to the police, please note the police file number for the cyber-attack (LKA541/1K/0870845/2022) if it is possible that the fraud could be linked to the cyber-attack at HAW Hamburg and the publication of your information on the darknet.
2. If you have received invoices, warnings or packages that you have not ordered, contact the company that sent them (be careful with supposed invoices that have been sent to you via email, as mails with the subject line 'Invoice' frequently contain files that can install malware on your device).
3. Keep in mind that any legal collection notices you may have received must be objected to before the applicable deadline.
4. Report identity fraud to the large credit agencies. You can find the forms for doing so at schufa.de and crifbuergel.de. If you would like to be certain that your identity has not been used to carry out criminal activities such as Internet fraud you can, after waiting a while, request a free credit report from the main credit agencies such as Schufa or CRIF in order to determine if unknown criminals have been using your name for their activities.
5. If you discover that fraud has been carried out in your name, it can also be worthwhile to request a so-called 'Einmeldung' (logging of the information) at the bigger credit agencies to make it more difficult for unknown criminals to misuse your identity.
6. Please bear in mind, though, that in this case companies with which you wish to conduct business and set up contracts will also be informed by the credit agencies that you have been the victim of identity fraud. This can result in your own contracts being subjected to more rigorous controls. This may mean that additional documents or proof of identity are requested and the processing time is longer.

C.    Phishing attempts 

Phishing is when a third party uses fake websites, emails or text messages to impersonate trustworthy individuals, companies or organisations. The goal of the attacker in such cases is to obtain additional personal information or to infect your device with malware.

How should you respond? 

1. Always check the sender of the emails you receive by clicking on the sender's address. But please also note that even familiar sender addresses can be faked or used without permission by unauthorised people.
2. Pay attention to spelling mistakes or other conspicuous details (e.g. no greeting, different language, supposed urgency), which usually indicate that it is a phishing mail.
3. Do not open any attachments or links in suspicious emails. These can contain malware, which can damage your device or extract personal information such as bank account details from your device, which are then used for criminal activities.
4. If you are unsure, use another mode of contact (e.g. phone) to ask if the email really is from the supposed sender.

Thousands of passwords, user names and accounts are hacked each year. Social networks and entertainment sites are among the most common targets of phishing attempts. There are various online portals you can use to check whether your email address has been compromised. They compile information about known leaks and make it possible to search for email addresses. One of the most comprehensive services is Have I been Pwned?, which you can find at haveibeenpwned.com.

If you receive the notification 'Oh no – pwned', this means that the email address has been published in one or more leaks. Information about which leak this was is indicated on the website. In this case, what applies for everyone is even more important for you:

1. Select a strong password.
2. Use two-factor authentication whenever possible.
3. Select the 'Subscribe to notification' option from haveibeenpwned.com.

The website outlines these points under '3 steps to better security'.