An incident involving the possible unauthorized access to sensitive student data has stirred concern in Munich. Reports suggest that information belonging to more than 120,000 students from various educational institutions in the city may have been exposed, raising questions about data protection practices and digital security in schools.

Alleged Data Leak and Uncertainty Over Exposure

The situation gained attention following a media report indicating that personal data, including names, addresses, birthdates, nationalities, and school affiliations, may have been accessible to unauthorized individuals. The specific method and extent of the exposure remain unclear, as the origin and distribution pathway of the data have not been definitively established.

The IT service provider responsible for managing the data, LHM-Services, stated that it first became aware of the potential breach through press coverage. The company, which handles student data on behalf of the city's educational institutions, emphasized that it has not received the allegedly compromised records for verification. Furthermore, a cybersecurity firm specializing in monitoring the dark web reported no evidence that the data in question were available or disseminated there.

Media Report and Response from IT Provider

The newspaper that initially reported the incident claimed to have conducted spot checks on the exposed data, supporting its authenticity. However, the report did not detail the precise location or manner in which the data were made accessible, nor did it confirm widespread circulation. LHM-Services has highlighted that the report itself leaves open the question of whether and to what extent the data have been distributed or are publicly available.

LHM-Services indicated that it could not confirm the alleged leak or provide specifics regarding the nature, scope, or content of any potentially exposed information. The company is currently investigating the situation, with particular attention to the activities of a former employee whose download behavior has been described as unusual. This individual, who had legitimate access to the data, had recently left the organization.

Official Actions and Ongoing Investigation

Upon learning of the incident, LHM-Services promptly notified the Bavarian Data Protection Authority and filed a criminal complaint against unknown individuals. The company has stated it is cooperating fully with the relevant authorities to clarify the circumstances surrounding the potential breach and to determine the extent of any security lapses.

Local political figures have taken note of the incident. The city's mayor has expressed support for the ongoing investigation and reiterated the administration's commitment to strict compliance with data protection regulations. In the city council, a motion has been introduced to discuss the case urgently within the IT committee.

Background and Previous Security Concerns

The recent developments have reignited discussions surrounding previous allegations related to data security in Munich's educational IT infrastructure. According to the recent report, concerns were raised about the configuration of certain SharePoint servers, suggesting they may have allowed broader internal and external access to sensitive data than intended. However, LHM-Services has categorically denied any such ongoing issues, stating that prior incidents from 2023 and 2024 were thoroughly investigated and resolved, with no evidence found of unauthorized access from outside the organization. The company maintains that these matters did not require mandatory reporting, as no breach to external parties occurred.

In its latest statement, LHM-Services suggested that the current incident may not involve data that is freely circulating online but rather information that was selectively provided to media outlets. This assertion aligns with the original media report, which did not confirm the presence of the data on the dark web but did note that some records were transferred via this route before reaching journalists.

Wider Implications for Data Security in Education

This case underscores ongoing challenges faced by educational institutions in managing and securing large volumes of personal data. It also highlights the necessity for rigorous internal controls, regular security audits, and swift action when potential vulnerabilities are identified. As investigations continue, authorities and stakeholders are expected to evaluate current data handling protocols to prevent future incidents and to ensure compliance with data protection standards.