Deutsche Bank, ING, and Postbank impacted by MOVEit hack

Four major European banks – Deutsche Bank, ING Bank, Postbank, and Comdirect – are reporting customer data leaks. They're the result of using the same third-party business vendor, breached in the Cl0p MOVEit hacks.

Both Deutsche Bank and its retail arm Postbank announced the customer data leak in a form letter sent to customers on July 3rd, according to German media outlet General-Anzeiger.

The customer notice stated that attackers had exploited a vulnerability in the software of a service provider, but did not name the service provider at the time.

According to the letter, the customers' first name, last name, and IBAN (international banking account number) were stolen – enough information for a criminal to make unauthorized direct debits from an account.

However, a Deutsche spokesperson told media outlets that the criminals could not access accounts directly.

Only customers who used the account switching service of either Deutsche or Postbank in 2016 through 2018, and 2020, are said to be affected by the leak.

Neither Deutsche or Postbank have said how many customers may have been affected by the leak.

Ironically Deutsche, who acquired Postbank in 2008, also announced on Monday that it had finally completed a more than decade-long process of integrating both banking systems under one roof.

The Deutsche Bank spokesperson said the data leak had nothing to do with the move of Postbank's customer data to the joint IT platform, according to German media outlets.

Meanwhile, new information has revealed that third-party vendor, Majorel, a bank account switching service provider headquartered in Luxembourg, was contracted by both financial institutions and is believed to be the root cause of the data leaks.

German public health insurer Barmer, was the first to mention Majorel as the third-party cause of their own MOVEit related data leak on May 31st.

Majorel admitted on Monday that it had been the target of a cyber attack involving the MOVEit file transfer system.

The vendor said once they discovered the security vulnerability, measures were taken to "immediately” prevent further incidents. Other divisions of Majorel were not affected, the company reported.

Moreover, ING Bank and Comdirect, also both clients of Majorel's account switching services, additionally confirmed Monday they had been impacted by the MOVEit breach, reported German newspaper Handelsblatt.

Since publishing this article, Cybernews confirmed the incident directly with an ING Bank spokesperson who provided further details about the leak, and more information for those customers possibly affected.

"According to the current state of knowledge, a low four-digit number of customers who have used the statutory account switching assistance when opening a current account with us are affected," an ING spokesperson stated.

A spokesperson for Commerzbank, the parent company of Comdirect, said, “We are only affected by the data leak at Majorel with the Comdirect brand. Customers of the Commerzbank brand are not affected."

The bank said there were in the process of investigating and notifying customers affected by the unauthorized access.

Actions to take

German law firm Dr. Stoll & Sauer, who handle consumer data breach litigation, said customers should be careful because there is still a possibility “unauthorized persons will try to obtain further personal information via e-mails, calls or messages and use it for fraudulent purposes such as phishing and password theft.”

The banks are recommending customers monitor their transactions and account statements particularly carefully and contact the bank if they see any unauthorized transactions, Dr. Stoll & Sauer said.

Unauthorized direct debits can be reclaimed by the bank for up to 13 months, and “the money will be refunded,” according to the Deutsche Bank spokesman, the law firm said.

Frankfurt-based Deutsche Bank is the 8th largest bank in Europe and has 499 branches worldwide. Postbank has over 1,000 branches and 700 advisory centers globally.

In March, a hacker on the just now-resurrected BreachForums criminal marketplace claimed to have 60GB of Deutsche Bank data in their possession, and was offering it up for sale to the highest bidder.

The stolen data allegedly included Deutsche Bank employee data and source code derived from the bank’s website. Deutsche Bank did not respond to our request for confirmation at the time.

Headquartered in Amsterdam, ING Bank comes in as Europe's 13th-largest banking institution. Comdirect is the third-largest direct bank in Germany.

At the time of this report, Cybernews has contacted Deutsche Bank and Postbank and is awaiting responses.

Cl0p and MOVEit attacks

The Russian-linked Cl0p ransomware gang claimed responsibility for exploiting a zero-day flaw in the MOVEit file transfer system on their dark leak site June 14th.

The gang began slowly leaking the names of victims unwilling to negotiate, starting on June 15th. As of July 10th, the Cl0p dark leak site lists over 120 alleged victims.

Security experts anticipate there are over 230 victims of the MOVEit hack, and possibly more as the fallout from third-party software vendors being hit in the MOVEit attacks, such as Majorel, can affect any company using their services.

Majorel operates in 45 countries on five continents, according to their profile.

The Moveit Transfer system is made and distributed by the American software company Progress. It's estimated that thousands of companies use the system around the world to securely send and receive files.

Cl0p made headlines in March, claiming responsibility for another zero-day attack exploiting the similar Go Fortra Anywhere file management system and affecting roughly 120 companies worldwide.

Siemens Energy, UCLA, and the NYC Department of Education are the latest to confirm they were hit in the MOVEit attacks. Shell Global, also hit in the Go Anywhere attack, was the first victim claimed by the ransom group in June.

Other big names impacted by MOVEit include PWC, Ernst & Young, Sony, and several US federal agencies, including the Department of Energy and Health.

The White House recently issued a $10 million reward for any information leading to a Cl0p member being arrested.

Also Monday, Choice Hotel's newly acquired Radisson Hotels Americas confirmed to Cybernews that it was the latest victim of the MOVEit hack and its customer's data was compromised.