{"id":20878,"date":"2026-07-05T07:00:00","date_gmt":"2026-07-05T07:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20878"},"modified":"2026-07-09T16:08:51","modified_gmt":"2026-07-09T16:08:51","slug":"south-westphalia-it-the-lesson-of-municipal-it","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/05\/south-westphalia-it-the-lesson-of-municipal-it\/","title":{"rendered":"S\u00fcdwestfalen IT: The Lesson of Municipal IT"},"content":{"rendered":"<p><strong>On October 30, 2023, the ransomware group Akira encrypted the systems of S\u00fcdwestfalen IT. More than 70 municipalities suddenly came to a standstill: citizen service offices, registration services, specialized procedures. The attackers gained entry through a single open point: a VPN access without multi-factor authentication. Two and a half years later, the incident is perhaps the most expensive lesson that municipal IT in Germany has learned.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">The Key Points at a Glance<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Entry via a VPN without MFA:<\/strong> The attackers exploited a vulnerability in a VPN solution that did not require a second factor.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">One Service Provider, Many Victims:<\/strong> More than 70 municipalities were affected, by some counts more than 100. One attack, shared reach.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">No Ransom, Clean Backups:<\/strong> S\u00fcdwestfalen IT and the municipalities refused payment. Data exfiltration was considered unlikely; the backups were intact.<\/li>\n<li><strong style=\"color:#69d8ed;\">Recovery took months:<\/strong> Only through a coordinated phased plan did the specialized procedures return to normal operation.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#666;margin:20px 0 32px 0;border-top:1px solid #e5e5e5;border-bottom:1px solid #e5e5e5;padding:10px 0;\"><span style=\"color:#004a59;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/07\/adaptive-mfa-nis2-pressure-as-a-zero-trust\/\" style=\"color:#333;text-decoration:underline;\">Adaptive MFA as a Zero-Trust Lever<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/25\/from-when-the-reporting-deadline-clock-really-starts-ticking\/\" style=\"color:#333;text-decoration:underline;\">When the Reporting Deadline Clock Starts Ticking<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Happened on October 30, 2023<\/h2>\n<p>In the early morning hours, encryption by Akira brought the central IT of a municipal service provider to a standstill. S\u00fcdwestfalen IT operates the systems for a large number of cities, municipalities, and districts in the region. When the service provider failed, administration in the connected municipalities practically ceased at the same time.<\/p>\n<p>The consequences were immediately felt in citizens&#8217; daily lives. Appointments could no longer be booked, re-registrations and ID card applications stalled, specialized procedures came to a halt. A cyberattack that remains abstract in IT terminology turned here into closed counters and long waiting times.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">The Open Door: A VPN Without a Second Factor<\/h2>\n<p>The decisive factor for any security assessment is the entry point. The attackers reached the internal network through a software-based VPN solution that had a vulnerability and did not require a second factor. A compromised remote access was enough to reach the central position.<\/p>\n<p>This combination is the real lesson of the case. Remote access without multi-factor authentication is an invitation, especially on such an exposed and far-reaching system. The attack simply exploited a gap that could have been closed with standard measures. No sophisticated techniques were required. That is exactly what makes it so instructive.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Recovery and the Refusal to Pay Ransom<\/h2>\n<p>S\u00fcdwestfalen IT and the affected municipalities decided against paying a ransom. This stance was possible because the backups were unaffected and data exfiltration was considered unlikely. The price was a self-managed recovery that stretched over months.<\/p>\n<div data-element=\"stat_row\" style=\"display:flex;flex-wrap:wrap;gap:16px;margin:32px 0;\">\n<div style=\"flex:1 1 200px;min-width:0;background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:22px 20px;box-sizing:border-box;\">\n<div style=\"font-size:1.4em;font-weight:800;color:#69d8ed;line-height:1.1;word-break:keep-all;\">30.10.2023<\/div>\n<p style=\"margin:10px 0 0;font-size:0.88em;color:#e6e3da;line-height:1.5;\">Date of the Attack<\/p>\n<\/div>\n<div style=\"flex:1 1 200px;min-width:0;background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:22px 20px;box-sizing:border-box;\">\n<div style=\"font-size:2.1em;font-weight:800;color:#69d8ed;line-height:1.1;word-break:keep-all;\">&gt;70<\/div>\n<p style=\"margin:10px 0 0;font-size:0.88em;color:#e6e3da;line-height:1.5;\">municipalities affected<\/p>\n<\/div>\n<div style=\"flex:1 1 200px;min-width:0;background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:22px 20px;box-sizing:border-box;\">\n<div style=\"font-size:2.1em;font-weight:800;color:#69d8ed;line-height:1.1;word-break:keep-all;\">0 \u20ac<\/div>\n<p style=\"margin:10px 0 0;font-size:0.88em;color:#e6e3da;line-height:1.5;\">no ransom paid<\/p>\n<\/div>\n<\/div>\n<p>The path back followed a phased plan coordinated with the districts and municipalities that gradually returned the essential specialized procedures to normal operation. During the restart, the security gaps were closed. The case shows that a clean, isolated backup fundamentally changes the negotiating position against extortionists.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Why Municipal Service Providers Carry a Special Risk<\/h2>\n<p>The S\u00fcdwestfalen IT case represents a structural pattern. A central service provider bundles the IT of many small administrations that cannot afford their own security departments. This bundling creates efficiency and at the same time a single, highly rewarding target.<\/p>\n<p>For attackers the calculation is simple. A successful compromise of the service provider multiplies across all connected municipalities. This concentration demands a security level that matches its reach. A service provider working for 70 administrations carries 70 times the responsibility, far more than that of a single agency.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Five Transferable Lessons<\/h2>\n<p>The case translates into concrete consequences that apply to any organization with far-reaching IT.<\/p>\n<ul style=\"line-height:1.7;\">\n<li style=\"margin-bottom:8px;\"><strong>MFA on Every Remote Access:<\/strong> No VPN or remote access without a second factor, without exception.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Isolated, Tested Backups:<\/strong> Backups that are isolated from the production network and regularly tested for restorability.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Reduce Attack Surface:<\/strong> Minimize exposed access points and keep the patch status of critical edge systems fully up to date.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Segmentation:<\/strong> Separate networks so that a compromised access point does not open the entire system.<\/li>\n<li><strong>Practiced Emergency Response:<\/strong> A recovery plan that is prepared and tested before it is needed.<\/li>\n<\/ul>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is closed. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>How did the attackers get into the network?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Through a software-based VPN solution with a vulnerability that did not require multi-factor authentication. A compromised remote access was sufficient to gain access to the internal network of S\u00fcdwestfalen IT.<\/p>\n<\/details>\n<details>\n<summary><strong>Were any data stolen?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">According to available assessments, data exfiltration was highly unlikely. The backups were also unaffected. This was an important prerequisite for the decision against paying a ransom.<\/p>\n<\/details>\n<details>\n<summary><strong>Why did the recovery take so long?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Because the central IT of many municipalities had to be rebuilt cleanly and securely instead of being quickly unlocked with a ransom payment. A coordinated phased plan gradually returned the specialized procedures to normal operation.<\/p>\n<\/details>\n<details>\n<summary><strong>Could the attack have been prevented?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The specific entry via remote access without a second factor would have been significantly more difficult with consistent multi-factor authentication. Absolute security does not exist, but this one measure would have closed the door that was used.<\/p>\n<\/details>\n<details>\n<summary><strong>What is the most important lesson for other service providers?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">That security requirements increase with reach. Anyone who bundles the IT of many customers must maintain a correspondingly high level of protection, starting with MFA on all access points and cleanly separated backups.<\/p>\n<\/details>\n<p>\n<!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/07\/adaptive-mfa-nis2-pressure-as-a-zero-trust\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/adaptive-mfa-nis2-bsi-zero-trust-mittelstand-fido2-2026-hero-250x167.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Adaptive MFA: NIS2 Pressure as a Zero-Trust<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/25\/from-when-the-reporting-deadline-clock-really-starts-ticking\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/nis2-dora-dsgvo-meldefristen-vergleich-startpunkt-incident-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">From When the Reporting Deadline Clock Really Starts Ticking<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/29\/dora-in-operation-what-the-regulator-wants-to-see\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/dora-finanzinstitute-resilienz-nachweis-tlpt-cover-hero-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">DORA in Operation: What the Regulator Wants to See<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/29\/kritis-in-the-cloud-what-secures-the-migration\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-kritis-cloud-migration-c5-nis2-dachgeset-70478771.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">KRITIS in the Cloud: What Secures the Migration<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/en\/the-ai-writes-the-code-who-is-liable-for-it\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ki-generierter-code-haftung-governance-r-68881977-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI writes the code. Who is liable for it?<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/the-ai-oversight-in-germany-now-has-an-address\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-die-ki-aufsicht-in-deutschland-hat-jetzt-91048899-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">The AI oversight in Germany now has an address<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Two years after the Southwestphalia IT attack, Security Today dissects: VPN without MFA, rebuilding without ransom, and five lessons for municipal IT.","protected":false},"author":50,"featured_media":20751,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"municipal IT security","_yoast_wpseo_title":"South Westphalia-IT: The Lesson of Municipal IT","_yoast_wpseo_metadesc":"Uncover the 2-year aftermath of the Southwestphalia IT attack: VPN without MFA, rebuild without ransom, and 5 lessons for municipal IT.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[5],"tags":[],"class_list":["post-20878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-studies"],"evm_reading_time_minutes":6,"wpml_language":"en","wpml_translation_of":18116,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20878"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20878\/revisions"}],"predecessor-version":[{"id":21004,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20878\/revisions\/21004"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/20751"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}