Hacker in hoodie showing MOVEit data breach via third-party affecting customer data of German banks

MOVEit Data Breach Leaks Deutsche Bank, ING, Postbank, and Comdirect’s Customer Data

Deutsche Bank AG has confirmed leaking customer data via a third-party service provider impacted by a MOVEit data breach.

“We have been notified of a security incident at one of our external service providers, which operates our account switching service in Germany,” a Deutsche Bank spokesperson told BleepingComputer.

Although Deutsche Bank withheld the vendor’s identity, banking sources have identified the account switching service provider Majorel Germany. Other German banks have confirmed third-party MOVEit data breaches.

Deutsche Bank MOVEit data breach exposed limited customer data

Majorel Germany confirmed it suffered the MOVEit data breach attributed to the Russian-speaking Clop ransomware gang. The SQL injection vulnerability has impacted over 300 companies worldwide.

“As part of a vulnerability in the “Move it” software, which affects many companies around the world, Majorel Germany has become the target of a hacker attack,” a Majorel spokeswoman said.

On July 3, 2023, Deutsche Bank AG sent data breach notifications to all victims, although the number of potentially impacted customers remains undetermined.

Majorel disclosed that the MOVEit customer data breach affected a single system in Germany and occurred before May 31, 2023, when the MOVEit file transfer vulnerability was discovered.

“The attack took place before the software’s vulnerability became public and only affected a single system running MOVEit software in Germany,” the spokesperson said, adding that the affected system was closed after discovering the breach.

Additionally, the MOVEit data breach did not compromise Deutsche Bank’s internal systems and only exposed limited personal information.

Details leaked include customers’ names and International Banking Account Numbers (IBAN) for individual customers in Germany who used the service in 2016, 2017, 2018, and 2020.

Deutsche Bank warns of potential fraud

Although threat actors cannot access the customers’ accounts, the leaked details could allow them to initiate unauthorized direct debits.

Subsequently, Deutsche Bank AG extended the unauthorized direct debit returns window to 13 months, granting customers more time to discover and report fraudulent transactions for a refund. Therefore, impacted customers should monitor their accounts and swiftly report unauthorized transactions to their banks and law enforcement.

Similarly, Deutsche Bank account holders should remain vigilant for phishing attacks as hackers could obtain email addresses and phone numbers from other sources, such as previous data breaches and social media, to target them.

Deutsche Bank AG is still investigating the customer data breach and could provide more information after concluding the probe.

Customer data breached across several German banks

Several German banks, including ING Bank, Postbank, and Comdirect, have confirmed MOVEit customer data leaks.

ING Bank told German media outlet Handelsblatt that the MOVEit data breach impacted “a low four-digit number” of customers who used the account switching service.

However, only the legal account change assistance service “Kontowechselhilfe” was affected, not the more frequently used account change service “Kontowechselservice.”

The Frankfurt-based financial services corporation has reported the breach to relevant data protection and law enforcement agencies and will notify impacted customers. However, ING Bank withheld the name of the implicated account switching service.

Similarly, Commerzbank has confirmed that the Majorel MOVEit hack impacted its Comdirect brand’s customer data but not the Commerzbank brand. Plans to notify the impacted customers are in progress.

“We are only affected by the data leak at Majorel with the Comdirect brand. Customers of the Commerzbank brand are not affected,” the bank said.

Postbank customer data was also compromised in the MOVEit data breach. Deutsche Bank AG owns Postbank and has integrated the two banks’ systems. However, Postbank’s MOVEit data breach did not originate from Deutsche Bank.