[German]There has been a confirmed data leak at German Deutsche Bank and it's Postbank, in which personal customer data such as name and IBAN (international banking number) have fallen into the hands of third parties. Customers who have used the "account switching service" of these banks are affected and have now been informed about the incident by letter. The victims face increased security risks. From my information it's likely that the banks are victim of the MOVEit transfer vulnerarabilities). The banks are also likely to face claims for damages.
Advertising
Data leak at service provider
Deutsche Bank has begun a couple of days ago (see my German blog post linked at the articles head) informing its customers about a data theft that also affects Postbank customers. According to a first report of the Bonner Generalanzeiger, which is behind a paywall, personal data such as name, first name and IBAN of account holders were stolen from an external service provider. Spiegel Online has published more details in this German article with reference to the report of the Bonner Generalanzeiger.
Customers of the two banks (Postbank is now owned by Deutsche Bank) who used a so-called account switching service of the institutions in the past years are probably affected. This was switching was handled by an external service provider, where data was stolen by unknown attackers. Anyone affected should be informed of the incident by the two banks by mail.
The account switching service of the banks are to be moved bank accounts from a bank to another bank. In the process, standing orders and direct debits, etc. of the old account are analyzed and the relevant offices are informed of the changed bank details for direct debits and standing orders are listed. The Deutsche Bank website states: With our digital account switching service, you can quickly and conveniently move your old account to Deutsche Bank. In the process, your payment partners such as employers, mobile phone providers or insurance companies are automatically informed of your new bank details.
The external service provider had stored the account data in order to process the account switch. Spiegel Online quotes Deutsche Bank as saying that it was about customers who had used the account switching service in 2016, 2017, 2018 and 2020. A spokesperson told Spiegel Online that those affected had been informed in a letter.
Deutsche Bank further states that the cause of the incident has been identified and resolved by the affected service provider. Potentially, more than a hundred companies in more than 40 countries were affected. Deutsche Bank states that the bank's own systems were not compromised at any time. It also says the data protection incident has nothing to do with Postbank's IT integration, which has just been completed. How many data records are affected is unknown according to previous media reports.
It's not noted anywhere in my sources, but from a gut feeling I'm speculating that it might be related to the MOVEit vulnerability, which was known at the end of May 2023 and exploited by the Clop ransomware group (see also posts linked at the end of the article). Banks were also affected there. This German report from the consumer watchdogs also points in the direction of MOVEit vulnerability as the culprit.
Victims should be vigilant
Because the unknown attackers had access to the name and IBAN, victims are potentially exposed to increased cyber risks. For example, the information in phishing emails could be used to target victims if the perpetrators combine the name with email addresses obtained from other data leaks – the probability of a match is high.
Advertising
The greater risk is that the account data is misused by cyber criminals for bank debits or purchases on the Internet. Affected individuals should closely monitor account movements to identify unauthorized debits (by the perpetrators or internet purchases made by them). Unauthorized direct debits could be returned retroactively for up to 13 months, so that the money would then be refunded by the bank.
In the case of suspicious transactions, the consumer center of North Rhine-Westphalia recommends reporting the matter to the police. If those affected do so in good time, the bank is liable for possible damages. If, on the other hand, those affected take too much time, there is a risk that they will be left to bear the costs themselves, says the consumer advice center. The consumer protectors also give the advice to change the passwords for access to the affected accounts.
Furthermore, the consumer center points out the problem of negative entries at credit agencies (Schufa, Creditreform) due to the returned direct debits. According to the consumer advice center, affected customers also have claims for damages against the respective bank.
Advertising