Munich Data protection incident: 120,000 sensitive student data on the dark web?

In Munich, a newspaper report is causing a stir, suggesting that personal data of more than 120,000 students from the city is circulating on the dark web. According to the IT company where the data is held, they only learned about the incident from the newspaper. The company, LHM-Services, refers to a report by the Abendzeitung, which states that the sensitive data “ended up where it should never be.” LHM-S criticizes that the allegedly affected datasets were not provided for examination even after being requested. A company specializing in dark web research could find no indication “that datasets related to this are findable and/or generally available on the dark web.”

Many accusations, little known

The trigger for the commotion is the exclusive report by the Abendzeitung, which, however, becomes unclear in important aspects. The core issue is that tens of thousands of names, addresses, birth dates, nationalities, and schools were allegedly accessible to unauthorized individuals, but it is unclear exactly where. According to the newspaper, they checked the data on a sample basis and thus confirmed its authenticity. LHM-S manages the data as a subsidiary of the City of Munich and on its behalf for educational institutions in Bavaria's state capital. The company assures that it “cannot currently confirm the suspicion of an alleged data leak and cannot provide any information on the scope, type, and content of the allegedly publicly accessible data.”

LHM-S now points out that the newspaper report also explicitly leaves open “whether and to what extent these data are circulating at all.” The article literally states, “partly transferred via the dark web, the holdings eventually reached the AZ – which raises whether and to what extent they are circulating.” LHM-S adds that in this context, the “potentially suspicious download behavior of a terminated ex-employee” who had access to such data is also being investigated. The company further writes that it has immediately informed Bavaria's State Data Protection Officer and filed a criminal complaint against unknown persons. They are working at full speed to clarify the matter.

In the article, the Abendzeitung also puts the current incident into context with previous matters. According to the article, it concerns allegedly insufficiently secured SharePoint servers. A whistleblower reportedly described the storage as being configured “so that practically anyone (internal and external) in the company could view the data.” It is unclear what exactly is meant by this. LHM-S emphatically rejects the “allegations regarding completed matters from the years 2023 and 2024.” This was checked internally and externally, and there was never any possibility of access for unauthorized individuals outside the company. Therefore, there was no reporting obligation.

Politics reacts

In its statement, LHM-S further adds that much suggests that data is not freely available even now, “but was presumably deliberately leaked to third parties for press exploitation.” The AZ also does not state anywhere that the data were available on the dark web. Munich's Mayor Dominik Krause (Greens) has welcomed the initiated investigations and assured that he places great importance on compliance with data protection regulations, BR quotes. Possible violations must be fully clarified. Consequently, an urgent motion was filed in the city council to discuss the topic in the IT committee.

(mho)