Cyber Incident Victim: Neuhaus Gruppe
Date:
Mar 2023
Location:
Germany
Summary
A ransomware attack targeting the service provider Einhaus Gruppe led to a data breach affecting customers of the bike leasing company JobRad, specifically those associated with its Mercator-Leasing GmbH partner. The incident resulted in unauthorized access to personal data, including names, addresses, email addresses, phone numbers, and contract details of end users, alongside potentially compromised employer banking information and business contact credentials. Stolen data was subsequently offered for sale in darknet forums, increasing phishing and fraud risks for impacted individuals. The attack exclusively affected systems operated by Einhaus Gruppe, leaving JobRad's direct infrastructure unaffected, though its externally managed "Ratenschutzportal" remains offline. Customers linked to JobRad's other leasing partner were unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 17, 2023, a ransomware attack targeted systems operated by the Einhaus-Gruppe, a contracting partner of German bicycle leasing provider JobRad. The breach compromised the "Ratenschutzportal," an online platform operated exclusively by Einhaus-Gruppe to support JobRad's leasing services. Attackers exfiltrated data belonging to both corporate clients and individual end-users of JobRad's services through this portal. Compromised personal data included customer names, addresses, email addresses, phone numbers, and specific lease agreement details. JobRad confirmed that customer banking details and passwords were not accessed, though employer banking information and business contact credentials from corporate clients could have been exposed during the incident. The breach remained confined to Einhaus-Gruppe's infrastructure, with no evidence of lateral movement into JobRad's own IT systems according to their investigation.
JobRad notified affected customers via email shortly after detecting the breach, issuing a detailed breakdown of compromised data types while emphasizing that only customers associated with the Mercator-Leasing GmbH leasing partner were impacted. Individuals utilizing JobRad services through the alternative JobRad Leasing GmbH partner were unaffected. Following the attack, perpetrators listed the stolen datasets for sale on darknet marketplaces, significantly increasing risks of tailored phishing, smishing, or fraudulent transaction attempts against exposed individuals and companies. JobRad preemptively took the compromised Ratenschutzportal offline, where it remained non-operational for an extended period post-incident. Corporate clients received specific warnings regarding potential financial fraud attempts leveraging stolen employer banking details, while individual lessees were advised to remain vigilant for targeted communications impersonating leasing authorities. The company maintained throughout its communications that internal security audits confirmed the isolation of the breach to Einhaus-Gruppe's systems.