Cyber Incident Victim: ING Group
Date:
May 2023
Location:
Germany
Summary
A cyberattack targeting Majorel, a service provider handling account switching for multiple banks, resulted in the theft of over 144,000 customer datasets including names and account numbers, which subsequently appeared on the darknet. The breach impacted clients of ING, Comdirect, Deutsche Bank, and Postbank, with ING confirming a low four-digit number of affected customers who used statutory account switching services. While stolen data alone does not enable direct account access, attackers could misuse it to initiate unauthorized direct debits, though customers retain rights to reverse such transactions within 13 months. The incident stemmed from compromised systems at Majorel, which processed data for these financial institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2023, a cyberattack targeted Majorel, a German customer service provider specializing in account switching services for banks. Majorel’s subsidiary Kontowechsel24.de—which partnered with ING since at least May 2016—processed statutory account-switching assistance for multiple financial institutions. Attackers exfiltrated customer data, including full names and bank account numbers, later publishing subsets on darknet forums. The breach impacted ING, Comdirect, Deutsche Bank, and Postbank, though the full scope remained unclear until May 2023. Majorel’s ownership structure complicated disclosures, as Bertelsmann (a former 40% stakeholder) had sold its shares to Teleperformance in April 2023, shortly before the breach became public.
Deutsche Bank and Postbank first acknowledged the incident on May 31, 2023, confirming unauthorized access to customer data but withholding exact figures. ING subsequently disclosed that a "low four-digit number" of its customers were affected exclusively through the statutory account-switching service, distinguishing it from their more frequently used proprietary switching system. Comdirect also confirmed exposure but did not quantify impacted accounts. Stolen data posed fraud risks, as attackers could pair names and account numbers to initiate unauthorized direct debits—though banks noted customers could reverse such transactions within 13 months. No evidence suggested compromised login credentials or direct breaches of bank systems. Financial institutions notified affected clients and emphasized heightened vigilance against suspicious transactions, while Majorel’s operational role in the incident limited banks’ ability to disclose further provider-specific details.