Cyber Incident Victim: Commerzbank
Date:
Jul 2023
Location:
Germany
Summary
A hacker attack targeting Majorel Germany, a service provider handling statutory account switching assistance, compromised personal data including names and account numbers for customers of multiple banks. The breach affected a low four-digit number of individuals who used the service when opening accounts, enabling potential unauthorized direct debit attempts though not direct account access. While criminals could misuse the exposed information to initiate fraudulent transactions, impacted customers retain recourse to reclaim such debits within a specified period. The incident impacted Comdirect and ING among other financial institutions, with Majorel's subsidiary Kontowechsel24.de identified as involved in the compromised service operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2023, multiple German banks including Comdirect, ING, Deutsche Bank, and Postbank disclosed a data breach impacting customers who utilized statutory account switching services. The incident originated from a hacker attack on an undisclosed third-party service provider responsible for processing account change requests, with industry circles indicating the provider was linked to Majorel Germany via its subsidiary Kontowechsel24.de. ING confirmed a "low four-digit number" of its customers were affected—specifically those who had engaged the statutory account switching assistance when opening checking accounts. The breach exposed personal data including customer names and account numbers, though login credentials, transaction details, and account balances remained uncompromised. Deutsche Bank and Postbank acknowledged the incident but did not quantify the number of affected customers. The attack exclusively targeted the statutory account switching process, leaving other banking systems and the more frequently used commercial account switching services unaffected. Financial institutions emphasized the breach occurred at the external service provider’s infrastructure, not their own systems.
The compromised data enabled unauthorized parties to potentially initiate fraudulent direct debits, though attackers could not directly access bank accounts or perform broader financial transactions. Banks clarified that customers retained the right to reverse unauthorized debits within a 13-month window under existing protections. ING, Comdirect, and other impacted institutions notified affected customers while withholding the service provider’s name, though contextual details linked the incident to Majorel—a firm recently acquired by Teleperformance from Bertelsmann in April 2023. Kontowechsel24.de, identified as Majorel’s subsidiary, had partnered with ING since 2016 for account switching services. No evidence suggested operational disruptions to core banking platforms, and the breach’s containment relied on standard fraud reversal mechanisms rather than system-wide remediation. The incident underscored supply chain vulnerabilities in financial services, particularly through niche third-party processors handling regulated functions like account migration.