The external payroll service provider Infoniqa Österreich GmbH has fallen victim to a cyberattack.
Infoniqa has informed the Austrian Academy of Sciences (OeAW) that criminal hackers stole personal data during the course of the cyberattack. After thorough examination, we must currently assume that all employees who are or were employed at the OeAW, as well as other individuals working at the OeAW—and possibly their relatives—may be affected, provided that their personal data were transmitted to Infoniqa Österreich GmbH (in particular since 2019). This may also affect the OeAW’s subsidiaries (CeMM, IMBA, GMI).

The General Data Protection Regulation (GDPR) stipulates that affected persons must be informed without delay, which we are hereby doing. The OeAW regrets this unpleasant situation and is doing everything within its power to address the incident and minimize any negative consequences for those affected.

Due to the nature of the compromised personal data, there is a risk of identity theft or other potential scenarios described in the FAQs. A detailed description of the measures already taken and those planned to remedy the data breach and mitigate possible adverse effects can be found in the FAQs provided below.

If you have any questions related to the incident, please contact the data protection officer at datenschutz(at)oeaw.ac.at.

What exactly happened?

Our external service provider Infoniqa Österreich GmbH (hereinafter referred to as “INFONIQA”), which handles payroll services and manages the electronic personnel records for the OeAW, was the target of a cyberattack. During this attack, data were stolen, and a portion of the stolen data was published by the hackers on the darknet. The OeAW itself was not attacked. The relevant authorities have been notified. According to current information, around 300 client companies in Austria were affected by the cyberattack on INFONIQA—one of them being the OeAW.

What is INFONIQA?

Infoniqa Österreich GmbH is a leading software provider in the HR and finance sector in the DACH region (Germany, Austria, Switzerland). The company was founded in 1988 and currently operates from 11 locations, serving around 35,000 corporate clients.

What data does INFONIQA manage?

INFONIQA manages personal data in connection with personnel files and payroll processing. This includes payroll data such as master data, bank details, social security data, bank cards, e-cards, and data from the personnel file such as: contact details, passport, ID card, proof of citizenship, birth certificate, registration certificate, child benefit information, marriage certificates, disability ID, certificates, residence permits, and visas.

For what purposes and on what legal basis were personal data transmitted to INFONIQA?

The OeAW processes personal data for the purposes of payroll accounting and maintaining personnel files. The legal basis for this is the fulfillment of contractual obligations or compliance with legal requirements.

The OeAW commissioned INFONIQA to perform these tasks under several agreements, including a data processing agreement. INFONIQA committed to complying with the security standards outlined by the Austrian Chamber of Public Accountants. No separate legal basis is required for this type of data transfer under the GDPR.

INFONIQA is the market leader in this field, handling payroll for approximately half a million employees.

What data are affected, and should we expect further releases?

A portion of the stolen data has already been published by the hackers on the darknet. We currently assume that all personal data processed by INFONIQA may be affected. We cannot provide information on the number of affected datasets or individuals; however, we have requested INFONIQA to specify the affected data and figures.

We therefore assume that all employees, civil servants, contractual staff, possibly their relatives, guest researchers, and contractors employed by the OeAW—particularly since 2019—may be affected if their personal data were transmitted to INFONIQA.

Is it likely that my data will be used illegally—immediately or years later?

It’s difficult to say—both are possible. It’s also possible that your data will never be misused. 

• Immediate misuse may occur when data have direct monetary value (e.g., credit cards, online banking credentials, active login data).

• Delayed misuse may occur when attackers store, package, or sell data (e.g., identity data, birth dates, ID copies). Such data might surface weeks, months, or even years later when used for targeted attacks (social engineering, credit fraud).

In any case, continued vigilance is important.

What has the OeAW done to clarify the situation?

Immediately after being informed by INFONIQA of the cyberattack, the OeAW contacted the relevant authorities and notified the Data Protection Authority. A crisis team was set up, and all relevant departments within the central administration and subsidiary organizations are actively working on the matter. The OeAW is doing everything possible to investigate the incident and take necessary actions.

How is it ensured that no further security breach occurs at INFONIQA?

The OeAW has commissioned an external cybersecurity firm to assess the effectiveness of the implemented and planned IT security measures at INFONIQA. This firm will verify whether the promised security measures have been properly implemented.

Measures taken by the OeAW:

• Updated encryption procedures with INFONIQA

• Changed passwords

• Payments (salaries, travel expenses, etc.) are only processed after verifying data integrity

Measures taken by INFONIQA:

• System isolation to minimize damage

• Securing and analyzing logs and system activities to detect suspicious traces

• System scans to check for malware and known threat patterns

• Review of system and security policies to identify and fix vulnerabilities

• Impact analysis to understand which business areas and services were affected

• Two external cybersecurity specialist teams are investigating affected systems, analyzing causes, and developing recovery plans

Can my data be deleted from or bought back from the darknet?

No, unfortunately this is not possible. Data cannot be effectively deleted once published on the internet.
Contacting darknet vendors does not guarantee that your data will be deleted or not resold.

What are the likely consequences of my data being published?

It cannot be ruled out that targeted phishing attempts, fraud attempts, or financial losses may occur as a result of this cyberattack. There is also a risk of exposure, discrimination, and identity theft.

What should I do now and what should I watch out for?

Please be aware that the data stolen from INFONIQA may be misused. Follow these tips to protect yourself from phishing or identity theft:

• Regularly check your bank account transactions. Enable transaction notifications and contact your bank in case of irregularities. Consider changing your account number or requesting a new bank card if necessary.

• Be cautious of unusual contact attempts.

• Do not open suspicious email attachments or links. Delete suspicious emails.

• If you receive excessive spam, use a spam filter.

• Enable two-factor authentication wherever possible and never reuse passwords. Consider using a password manager.

• Criminals may misuse your phone number (e.g., premium-rate calls). Ask your provider to block such numbers.

• If you receive foreign calls you cannot identify, do not answer and block the number.

• Some insurance policies (e.g., household insurance) include cybercrime support services—check with your provider.

• You can check whether your data have appeared on the darknet using tools such as sec.hpi.de/ilc/ or haveibeenpwned.com.

Please treat this incident confidentially for your own protection and avoid posting about it on social media. Of course, you may inform authorities and your bank.

What should I do if I notice suspicious activity on my bank account?

Contact your bank immediately and report any irregularities. Block affected accounts or cards. If you suspect fraud, also inform the police.

Should I renew my passport?

Experts do not recommend automatically renewing your passport after a cyberattack. However, if you wish to do so, you can apply for a new one at your local district authority or consulate. Note that for legal transactions, the original passport is required; a copy leaked online would not suffice.

What should I do if I notice my data are being misused?

If identity theft or another crime involving your data occurs, report it immediately to your local police station. Inform friends or colleagues if you notice suspicious online activity under your name. Contact the relevant social media platforms or online services to have fraudulent profiles deleted.

What is the reference number of the police report filed by INFONIQA with the Styrian Police Directorate?

The case reference number is PAD/25/01634300/001/KRIM. You can download a copy of the police report here:

Download Police Report Confirmation 

In addition, the OeAW has submitted a supplementary factual report, which you can download:

Download Supplemantary Factual Report

Who can I contact if I have further questions?

For any additional questions, please contact the Helpdesk at: helpdesk(at)oeaw.ac.at
The OeAW Data Protection Officer, Dr. Thomas Berghammer, LL.M., is available at datenschutz(at)oeaw.ac.at, Dr. Ignaz Seipel-Platz 2, 1010 Vienna.

For more information, you can also contact cybercrime hotlines such as: City of Vienna Cybercrime Helpline: +43 1 4000-4006; Cybercrime Competence Center (C4), Austrian Ministry of the Interior: against-cybercrime(at)bmi.gv.at