Cyber Incident Victim: D-Trust GmbH
Date:
Jan 2025
Location:
Germany
Summary
D-Trust GmbH experienced a cyberattack targeting its application portal for signature and seal cards, potentially compromising applicants' personal data. Issued cards remained unaffected and fully operational, with no compromise to PINs, passwords, payment information, or other systems. The company immediately implemented protective measures upon detection, notified regulatory authorities, and initiated individual communications to affected parties. A criminal complaint was filed, and specialized IT security personnel are collaborating with law enforcement to investigate the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 13, 2025, D-Trust GmbH detected a cyberattack targeting its application portal for signature and seal cards. The breach was identified on the same day it occurred, with preliminary investigations indicating potential unauthorized access to applicant personal data stored within the portal infrastructure. The compromised information specifically involved data submitted by individuals during the application process for these cryptographic cards. The company confirmed that issued signature and seal cards themselves remained uncompromised and fully operational, with no impact on their cryptographic functions or usage validity. PIN codes associated with the cards, user passwords, financial payment details, and other organizational systems outside the portal environment were not accessed or affected by the intrusion. D-Trust did not disclose technical specifics regarding the attack vector or the precise volume of potentially exfiltrated records in its initial statement.
Following attack detection, D-Trust implemented immediate containment measures to secure the portal's data environment, though the nature of these technical safeguards was not detailed publicly. The company initiated forensic analysis to assess the intrusion's scope and collaborated with specialized internal IT security personnel. Regulatory authorities overseeing data protection compliance were formally notified as required by breach disclosure obligations. D-Trust committed to direct, individualized notifications for affected applicants whose personal data might have been exposed during the incident. Legal proceedings commenced with the filing of a criminal complaint against unknown perpetrators with German law enforcement agencies. The organization's security team maintained active coordination with investigating authorities to establish attack attribution and methodology. D-Trust publicly acknowledged operational disruptions stemming from the breach and established a dedicated email contact ([email protected]) for stakeholder inquiries regarding incident-related concerns.