THREAT BRIEFING · 09.07.2026 DEENFRES

Case Studies

Südwestfalen IT: The Lesson of Municipal IT

By Benedikt Langer · July 5, 2026 · 6 min read

On October 30, 2023, the ransomware group Akira encrypted the systems of Südwestfalen IT. More than 70 municipalities suddenly came to a standstill: citizen service offices, registration services, specialized procedures. The attackers gained entry through a single open point: a VPN access without multi-factor authentication. Two and a half years later, the incident is perhaps the most expensive lesson that municipal IT in Germany has learned.

The Key Points at a Glance

  • Entry via a VPN without MFA: The attackers exploited a vulnerability in a VPN solution that did not require a second factor.
  • One Service Provider, Many Victims: More than 70 municipalities were affected, by some counts more than 100. One attack, shared reach.
  • No Ransom, Clean Backups: Südwestfalen IT and the municipalities refused payment. Data exfiltration was considered unlikely; the backups were intact.
  • Recovery took months: Only through a coordinated phased plan did the specialized procedures return to normal operation.

Related:Adaptive MFA as a Zero-Trust Lever  /  When the Reporting Deadline Clock Starts Ticking

What Happened on October 30, 2023

In the early morning hours, encryption by Akira brought the central IT of a municipal service provider to a standstill. Südwestfalen IT operates the systems for a large number of cities, municipalities, and districts in the region. When the service provider failed, administration in the connected municipalities practically ceased at the same time.

The consequences were immediately felt in citizens’ daily lives. Appointments could no longer be booked, re-registrations and ID card applications stalled, specialized procedures came to a halt. A cyberattack that remains abstract in IT terminology turned here into closed counters and long waiting times.

The Open Door: A VPN Without a Second Factor

The decisive factor for any security assessment is the entry point. The attackers reached the internal network through a software-based VPN solution that had a vulnerability and did not require a second factor. A compromised remote access was enough to reach the central position.

This combination is the real lesson of the case. Remote access without multi-factor authentication is an invitation, especially on such an exposed and far-reaching system. The attack simply exploited a gap that could have been closed with standard measures. No sophisticated techniques were required. That is exactly what makes it so instructive.

Recovery and the Refusal to Pay Ransom

Südwestfalen IT and the affected municipalities decided against paying a ransom. This stance was possible because the backups were unaffected and data exfiltration was considered unlikely. The price was a self-managed recovery that stretched over months.

30.10.2023

Date of the Attack

>70

municipalities affected

0 €

no ransom paid

The path back followed a phased plan coordinated with the districts and municipalities that gradually returned the essential specialized procedures to normal operation. During the restart, the security gaps were closed. The case shows that a clean, isolated backup fundamentally changes the negotiating position against extortionists.

Why Municipal Service Providers Carry a Special Risk

The Südwestfalen IT case represents a structural pattern. A central service provider bundles the IT of many small administrations that cannot afford their own security departments. This bundling creates efficiency and at the same time a single, highly rewarding target.

For attackers the calculation is simple. A successful compromise of the service provider multiplies across all connected municipalities. This concentration demands a security level that matches its reach. A service provider working for 70 administrations carries 70 times the responsibility, far more than that of a single agency.

Five Transferable Lessons

The case translates into concrete consequences that apply to any organization with far-reaching IT.

Frequently Asked Questions

Each question is closed. A tap unlocks the answer.

How did the attackers get into the network?

Through a software-based VPN solution with a vulnerability that did not require multi-factor authentication. A compromised remote access was sufficient to gain access to the internal network of Südwestfalen IT.

Were any data stolen?

According to available assessments, data exfiltration was highly unlikely. The backups were also unaffected. This was an important prerequisite for the decision against paying a ransom.

Why did the recovery take so long?

Because the central IT of many municipalities had to be rebuilt cleanly and securely instead of being quickly unlocked with a ransom payment. A coordinated phased plan gradually returned the specialized procedures to normal operation.

Could the attack have been prevented?

The specific entry via remote access without a second factor would have been significantly more difficult with consistent multi-factor authentication. Absolute security does not exist, but this one measure would have closed the door that was used.

What is the most important lesson for other service providers?

That security requirements increase with reach. Anyone who bundles the IT of many customers must maintain a correspondingly high level of protection, starting with MFA on all access points and cleanly separated backups.

Editor’s Picks

Editor’s PickAdaptive MFA: NIS2 Pressure as a Zero-TrustEditor’s PickFrom When the Reporting Deadline Clock Really Starts TickingEditor’s PickDORA in Operation: What the Regulator Wants to See

More from the MBF Media Network

cloudmagazinKRITIS in the Cloud: What Secures the MigrationDigital ChiefsThe AI writes the code. Who is liable for it?MyBusinessFutureThe AI oversight in Germany now has an address

Further reading

A magazine by Evernine Media GmbH