Munich LHM-Services GmbH — ~120,000 student records suspected on darknet, suspected insider threat, Bavarian DPA notified

LHM-Services GmbH, the municipal IT subsidiary of the City of Munich that runs school-administration systems for Bavarian schools, is investigating a suspected data-protection incident involving roughly 120,000 students — names, addresses, dates of birth, nationalities and school assignments (the 120,000 figure originates in press reporting; LHM-Services says it learned of the incident from the press and questioned whether the data was actually publicly available) (Heise Security, 2026-06-16). The investigation, led by Munich's cybercrime unit and the Bamberg prosecutor, centres on a former employee suspected of having mass-downloaded and retained the dataset shortly before leaving — i.e. a suspected insider data-theft, not an external intrusion. A darknet-research firm engaged by LHM-Services found no evidence the data was publicly listed for sale at the time of writing, so the actual circulation scope is uncertain. LHM-Services notified the Bavarian State Data Protection Authority under GDPR Article 33 and filed a criminal complaint (LHM-Services GmbH press release, 2026-06-15).

Defender takeaway: The root cause is the universal public-sector control gap — access deprovisioning for departing staff who hold export rights over centralised citizen/student data. Hunt for bulk export/download events (Windows EID 4663 object access; DLP/UEBA volume thresholds) by accounts flagged for offboarding, and bind database read/export credentials to just-in-time access tied to the HR offboarding workflow rather than only disabling the directory account. The exposure mirrors any Swiss canton or municipality running centralised school/citizen data through a third-party processor (GDPR/DPA Art. 5(1)(f) accountability extends to the processor).