Cyber Incident Victim: Deutsche Bahn AG

In May 2023, Deutsche Bank and its subsidiary Postbank disclosed a data breach stemming from a security incident at an external service provider utilized for their account switching service. The breach occurred when criminals exploited a software vulnerability at this third-party provider, enabling unauthorized access to customer data. Affected individuals were limited to customers who had used Deutsche Bank’s or Postbank’s account switching services during specific years: 2016, 2017, 2018, and 2020. The compromised data included customers’ first names, last names, and International Bank Account Numbers (IBANs), though Deutsche Bank emphasized this information alone could not facilitate unauthorized account access. The bank confirmed the service provider had identified and remediated the vulnerability responsible for the breach, but declined to publicly name the vendor involved.

Deutsche Bank initiated customer notifications via direct letters following the incident, disclosing the nature of the exposed data while assuring recipients of ongoing account security. The breach’s scope extended beyond Deutsche Bank Group, as the service provider supported over 100 companies across more than 40 countries, suggesting potential wider industry impacts. No financial losses or fraudulent transactions were directly linked to the breach in the disclosed information. The Bonner Generalanzeiger newspaper first reported details from customer notification letters, which corroborated the data types involved and the exploitation method. Response actions focused on containment through the vendor’s vulnerability patch and transparency through targeted customer communications, with no public evidence of regulatory penalties or further operational disruptions at Deutsche Bank or Postbank resulting from the incident.