The situation is aggravated by the fact that legally protected personal details of minor students, teaching staff, and hundreds of other employees in the educational sphere have ended up in the public domain. This incident delivers a serious blow to the reputation of municipal IT structures and requires an immediate legal assessment.
As a result of a large-scale compromise of protected information systems from a subsidiary company of the city of Munich, more than 100,000 structured records have entered the shadow segment of the internet (darknet). They contain detailed personal information of Munich school students, teachers, top management of educational institutions, as well as numerous administrative staff, ordinary employees of municipal kindergartens, and specialists of the city Department of Education and Sports (RBS). It is important to emphasize that strictly protected information turned out to be far beyond the security perimeter of the specialized company LHM Service GmbH (LHM-S). In addition, purely internal documents of LHM-S itself, shedding light on the operational activities of the structure, leaked into the network without hindrance. This is clearly evidenced by the alarming results of an exclusive investigation published by the Bavarian edition Abendzeitung München.
The Subsidiary Company Is Responsible for the IT Infrastructure of Educational Institutions
The complete datasets of compromised data were illegally distributed through the darknet for a long time and subsequently ended up at the disposal of the editorial office of the newspaper Abendzeitung in their original, unfiltered form.
Professional journalists promptly conducted a thorough verification and authentication check of the received information, directly contacting some of the affected individuals from the published lists. According to official statements from the editorial office, these datasets contain full names, verified home addresses, exact dates of birth, official names of specific educational institutions, and even detailed information about the citizenship of individuals.
The company LHM-S is a one-hundred-percent subsidiary structure of the capital of Bavaria and is fully funded by the funds of local taxpayers. According to official information from the enterprise itself, it bears full legal and technical responsibility for the uninterrupted maintenance and protection of the IT infrastructure of approximately 900 schools, large sports facilities, and kindergartens throughout the region. The scale of potential risks to the safety of citizens in this regard looks unprecedented, given the vulnerability of the target group, which includes minors.
Official Statements and the Course of the Investigation
The subsidiary company itself, as reported by the publication Abendzeitung München, has not yet presented a specific detailed assessment of the leaked datasets of information to the public at the current moment. A comprehensive internal audit of corporate security systems is still ongoing by forces of specialized professionals. The top management of the enterprise has already promptly sent an official statement to law enforcement agencies regarding the identification of an offense against unidentified persons, and also timely notified the state data protection supervisory authority to prevent further damage. And they could, like any self-sufficient and responsible person, not shift the responsibility onto subordinates, but take responsibility upon themselves and resign to begin with.
Simultaneously with this, representatives of the LHM-S administration publicly stated the presence of a so-called “serious initial suspicion” regarding one of the former employees of the company. According to the information that the management of the enterprise officially handed over to the newspaper, this person, on their very last working day in 2024, could have purposefully downloaded to external media and transferred to third parties protected data in a significant volume. The true motives of the alleged perpetrator are currently being established by the investigation.
(Are not the managers responsible for even the existence of the possibility for a simple ordinary specialist to download all data from the server, take or move data outside the office, and distribute it? — Ed.)
The Lord Burgomaster of Munich, Dominik Krause, also promptly commented on these resonant events, which have caused serious concern among citizens. In an official conversation with Abendzeitung journalists, the head of the city strictly emphasized that any possible violations of the strict requirements of European and German legislation in the field of data protection must be investigated by supervisory authorities in full, and the perpetrators must be held accountable.
Long-Term Consequences of the Incident
This incident clearly demonstrates that the leak of personal details of children and teachers in Munich actualizes the need for a radical revision of cybersecurity management standards in the municipal sector and in the region as a whole. The trust of citizens in the digital initiatives of the authorities directly depends on the state’s ability to guarantee the absolute confidentiality of the collected information, and this crisis will become a serious examination for the Bavarian administrative system.
