Cyber Incident Victim: Berliner Verkehrsbetriebe

The attack targeted an external service provider that BVG uses for sending customer letters. Criminals gained access to stored data belonging to the provider. The compromised information includes names, postal addresses, email addresses, customer numbers, and contract numbers for the Berlin-Abo subscription. BVG became aware of the breach and subsequently sent notifications to affected customers. The precise number of individuals impacted has not been disclosed. However, the company indicated that possibly around 180,000 customer records may have been involved.

The data accessed are personal but do not comprise sensitive financial details such as bank account information. BVG stated that, based on the current assessment, no sensitive data had been exfiltrated. In its communications, BVG advised recipients to change their passwords. Customers were also urged to monitor their email accounts for any unusual activity and to be vigilant against possible phishing attempts. Furthermore, BVG warned that the attackers might seek to alter contracts in the names of affected customers. These advisories were included in the letters sent to those whose data were compromised.

Following the incident, the external service provider implemented additional security measures. BVG reported that it is maintaining contact with the Berlin data protection authority regarding the breach. As a operator of public transportation, BVG forms part of the city's critical infrastructure. The Federal Office for Information Security (BSI) has characterized the risk of further attacks as high. This assessment persists despite the ongoing monitoring of security processes by the company. No further details about the attackers or their motives have been made public in the available sources.