Cyber Incident Victim: moBiel GmbH

On September 11, 2023, the Bielefeld public transportation company moBiel publicly disclosed a cybersecurity incident impacting its service information systems. The incident was identified as a cyberattack that did not target moBiel directly but instead affected one of its unnamed cooperation partners. This partner's compromised systems were integral to the real-time data distribution network used by moBiel. The attack resulted in a significant degradation of service for moBiel's passenger information channels. The immediate operational consequence was the inability to disseminate current timetable and scheduling data across the majority of its public-facing platforms.

In response to the incident, moBiel implemented immediate safety and containment measures. The primary action taken was to cease the display of real-time, dynamic information derived from the partner's compromised systems. As a protective measure, the systems were reconfigured to display only static, planned schedule data. This change in data output was applied comprehensively to the moBiel-You mobile application, the company's official homepage, and the vast majority of electronic display boards located at stations and stops throughout the Bielefeld service area. This ensured that passengers were provided with a baseline level of service information, albeit non-current, while preventing the further propagation of any potentially malicious activity from the partner's systems into moBiel's own network.

The impact of this response was widespread and immediately noticeable to the public. The failure to display real-time updates meant passengers could not access information regarding delays, cancellations, or the actual arrival times of buses and trams. This loss of dynamic data affected core digital services, significantly reducing the functionality of the moBiel-You app and the website, which rely on this data for trip planning and real-time status updates. Furthermore, the ticket vending machines, which also depend on this data stream for functionality, were similarly impacted and unable to provide current service information to users.

Not all passenger information systems were affected uniformly. A specific subset of older display technology remained operational and continued to show updated data. moBiel specified that these functional displays were located in the Jahnplatz tunnel and at the Rathaus (City Hall) stop. Additionally, the onboard display systems inside moBiel's own fleet of buses and trams continued to operate normally and present current information to passengers. This differential impact suggests that these specific systems operated on a separate technological infrastructure or data feed that was not reliant on the compromised partner's network, allowing them to remain unaffected by the attack on the third-party provider.

The public disclosure, made late in the afternoon on Monday, September 11, was factual and provided a clear outline of the service impacts without delving into speculative details. moBiel's communication confirmed the cyberattack on its partner and detailed the specific platforms experiencing outages but did not provide information regarding the nature or scope of the attack itself. The company stated that the precise circumstances of the cyberattack and any further background details were not yet known at the time of the announcement. The incident remained under investigation, with a focus on understanding the attack vector and the full extent of the compromise at the partner organization. The primary consequence for moBiel was a prolonged period of operating without its full real-time passenger information capability, relying instead on pre-planned schedules across its main digital channels.