Cyber Incident Victim: Danske Statsbaner
Date:
May 2018
Location:
Denmark
Summary
A massive DDoS attack targeted the Danish state rail operator DSB, disrupting ticket sales via its app, website, machines, and partner retailers, while also disabling internal mail and telephone systems. Passengers relied on alternative ticketing methods or onboard purchases, with safety systems unaffected. The incident prompted an investigation with authorities to analyze the novel attack method and prevent recurrence, though no ransom demands were reported.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 13, 2018, the Danish state rail operator DSB experienced a disruptive distributed denial-of-service (DDoS) attack that began on Sunday and continued into Monday. The cyber assault targeted critical operational systems, rendering ticket sales inaccessible through DSB’s mobile app, website, physical ticket machines, and third-party sales channels at 7-Eleven stores nationwide. Passengers without Rejsekort travel cards were forced to purchase tickets directly from onboard inspectors due to the widespread failure of digital sales platforms. Internal communications infrastructure, including corporate email systems and telephone lines, was also compromised, leaving social media as DSB’s sole method of customer communication during the outage. The attack’s intensity and novel methodology exceeded previous security incidents, according to DSB Vice-Director Aske Wieth-Knudsen, who confirmed the malicious external origin through overnight analysis by internal technicians and IT contractors. Train safety systems remained unaffected throughout the incident, with service disruptions limited to administrative and customer-facing functions rather than operational controls.
DSB restored normal operations by Monday morning following containment efforts, though residual technical issues persisted for some users accessing the company’s website. The organization initiated a forensic investigation with Danish authorities to analyze the unprecedented attack vectors and develop preventive measures against future incidents. Wieth-Knudsen publicly confirmed no ransom demands were made during the attack and emphasized the need for enhanced defensive protocols given the novel nature of the assault. While immediate communication with external agencies was pending at the time of initial statements, DSB committed to formal engagement with relevant national bodies as part of its post-incident response. The company maintained continuous monitoring of systems to detect potential follow-up attacks while assessing the full scope of infrastructure vulnerabilities exposed during the event.