Cyber Incident Victim: KaDeWe Group
Date:
Nov 2023
Location:
Germany
Summary
The KaDeWe Group, a German luxury department store operator, was attacked by Russian cybercriminals who targeted its corporate networks. The company's security systems detected the intrusion early, allowing it to be contained and the impact significantly limited. IT systems were taken offline as a precaution but were later restored with only minor operational impairments. Investigators found no evidence that customer payment data, account information, or passwords were accessed during the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 5 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night of November 2, 2023, transitioning into November 3, the KaDeWe Group, which operates the luxury department stores KaDeWe in Berlin, Alsterhaus in Hamburg, and Oberpollinger in Munich, was attacked by cybercriminals originating from Russia. The attack targeted the company's corporate networks. The organization's security and alert systems detected the intrusion, allowing for immediate countermeasures. According to the company's Chief Executive Officer, Michael Peterseim, these systems were able to repel the attack at a very early stage and significantly contain its impact as a result of the swift action taken. The precise initial attack vector or the specific malware or tools used by the threat actors was not disclosed in the public statements.
In response to the detected breach, the KaDeWe Group took precautionary measures over the subsequent weekend, immediately following the attack. The decision was made to transition all of the company's IT systems into an "offline emergency operation" mode. This action was taken to isolate systems, prevent further unauthorized access, and allow for a secure assessment of the damage. This shift to an offline state inevitably caused operational disruptions across the physical department store locations, affecting standard retail functions that relied on networked computer systems.
External forensic specialists were engaged to assist the company's internal IT security teams. Their collective mission was to conduct a thorough investigation to gain a complete picture of the scope and extent of the criminal attack. This forensic effort focused on determining what systems were accessed, what data was potentially viewed or exfiltrated, and the full breadth of the network compromise. The investigation was conducted in close coordination with law enforcement authorities, whom the company notified immediately after discovering the incident.
The KaDeWe Group filed a formal criminal complaint with the relevant authorities. The company confirmed it was in close communication and exchange with the Cyber Crime Unit of the Berlin police department to support the official law enforcement investigation into the actions of the Russian cybercriminals. This formal reporting initiated a parallel investigative track by German police agencies.
By Tuesday, November 7, 2023, Michael Peterseim, the CEO of the KaDeWe Group, communicated directly with customers via a circular email to inform them of the incident. The communication confirmed that the attack affected not only the flagship KaDeWe store in Berlin but also the other two major properties within the group, Alsterhaus and Oberpollinger. The email provided a preliminary assessment from the ongoing investigation, stating that the investigators had no indication that personal payment information or customer bank account details were affected by the attack. Customers were further assured that the passwords associated with their online accounts were not within the access scope of the attackers, indicating that the specific systems housing that authentication data were not breached.
Operationally, the offline emergency mode that was instituted over the weekend had been lifted within the physical stores by the time of the customer communication on November 7. The company reported that business operations were running again with only minor impairments. However, the CEO prepared customers for the possibility of further limitations due to ongoing defense and cleanup measures that were still being actively performed across the IT infrastructure. These residual effects were a consequence of the prolonged forensic analysis and security remediation work continuing behind the scenes.
The incident occurred at the start of the crucial Christmas shopping season, representing a significant operational and reputational challenge for the luxury retail group. The forced shift to offline systems and the subsequent recovery efforts risked disrupting sales and customer service during one of the most profitable periods of the year. The company's public statements emphasized that business was largely continuing despite the attack, likely in an effort to maintain customer confidence and minimize potential financial loss during the holiday period.
The company's response highlighted a focus on transparency with its customer base by proactively disclosing the attack shortly after its discovery. The commitment was made to inform any affected customers as quickly as possible should the forensic investigation uncover any evidence to contradict the initial assessment that customer financial data was not accessed. The public narrative from the company consistently emphasized that core customer data appeared to be secure and that the attack was caught and contained rapidly due to their security protocols. The overall response combined immediate technical containment, engagement of external forensic experts, collaboration with law enforcement, and structured customer communication.