School data published on the darknet: Affected party files complaint

Certificates, attendance lists, evaluations, health data – the dataset that the extortionists stole from over 40 schools in Rhineland-Palatinate covers all aspects of school administration. The file list alone comprises 500 MByte and lists 2.2 million files from Excel spreadsheets to videos of school trips. In total, the criminals published over 2 terabytes of stolen data at the end of January, much of it highly sensitive. Now, an affected party has filed a complaint with the responsible supervisory authority through their lawyer, and both the affected IT service provider and the city of Speyer have reacted to the publication.

In a press release dated March 5, the responsible Topackt IT Solutions GmbH confirms: “Since yesterday, confirmation has been available that the accessed data has been published by a known hacker group on the darknet and is accessible there.” They are now reviewing all data and will subsequently “inform the affected parties specifically and transparently about the scope of their respective data.” Furthermore, the company urges restraint to “avoid drawing additional attention to the data and to prevent further dissemination.”

Student reports security problems

A day earlier, the city of Speyer had also announced an examination of the leaked data in a brief statement. However, for one affected person, this “careful examination” was not fast enough. The former student of a Speyer school searched for clues on the darknet and discovered his contact details, absence records, and other information from his school career on the Lockbit ransomware leak site. Through his lawyer, he is filing serious accusations in a complaint to the data protection officer of the state of Rhineland-Palatinate.

He claims to have reported security problems with his school's server to the service provider at the end of 2023, while still a student, but felt he was brushed off. The former student describes his impressions to heise security as follows: “The IT service provider downplayed it significantly – you need criminal energy to do something like that, and there aren't many students who can do that.” Furthermore, in his impression, little was done. The student Wi-Fi was restricted, a file with plain text passwords was encrypted, and some user passwords were changed. An offer from the student at the time to re-test the security of the school server went nowhere.

About a year later, in January 2025, an “affiliate” of the Lockbit ransomware attacked the service provider Topackt and encrypted a total of 45 servers. As is typical for the group, the criminals made a copy of the data and exfiltrated it – they also urged Topackt via their leak site to make contact by January 30. Even then, the company confirmed the attack and the identity of the attackers to heise security – why Lockbit waited over a year to publish remains unclear.

The complainant is no longer a student but works for a Bamberg-based IT security company. He accuses the city of Speyer and Topackt of not taking the necessary steps to ensure data security. Furthermore, according to his lawyer in the letter, the city incompletely informed those affected. For example, “they were not notified about the scope of the incident and did not (!) receive a description of the likely consequences of the personal data breach,” writes lawyer Maisch.

We took a random look at the published data. They correspond to what we would expect on the PCs of a school administration – and unfortunately, some files offer a glimpse into the security level of the connected schools, and possibly also of the service provider. For example, many schools apparently assigned passwords for their students according to an easily guessable pattern that does not meet the state of the art, and is obvious to every fellow student – but it does save annoying IT support. Over six hundred accounts also shared the same six-digit lowercase password, and the notorious passwords “123456”, “start”, and “test” also made an appearance for several hundred accounts. At least 31 times the most data-sparing password “1” was assigned – it can be stored in a data structure of one bit if necessary.

We found evaluations and service certificates from teachers, as well as photos and videos from school trips. In the wrong hands, the data provides starting points for identity theft and cyberbullying. However, Lockbit apparently could not monetize it. Its field of application is too limited.

Service provider defends against accusations

We asked Topackt for a statement regarding our observations and the former student's accusations. Topackt CEO Michael Nist responded very comprehensively and described in detail how the security lapse occurred. For example, the six-letter standard password for automatically installed systems was preset, and the password policies were partly individually agreed upon with schools. This was also necessary to account for the different IT skills of the students. Since the attack in 2025, schools have been advised to urgently change all passwords.

However, Nist vehemently contradicted the affected party's account. He stated that they had treated him respectfully but pointed out that only a few fellow students possessed the technical knowledge of the then 17-year-old. And they had reacted immediately – however, some changes led to disruptions in school operations and, not least, caused considerable costs for the school authorities. Nist told heise security: “We therefore firmly reject the accusation that nothing has changed.” Furthermore, Topackt has since completely revamped its security architecture, restricted access, and implemented EDR solutions for some school authorities.

Nist stated that neither Topackt nor the LKA could determine how the Lockbit affiliate had managed to penetrate the school network. It is presumed that the perpetrator gained access via a phishing attack, but the attack had nothing to do with the security vulnerability demonstrated by the former student years earlier. That vulnerability was based on physical presence in a school.

(cku)