Cyber Incident Victim: Sparda-Banken
Date:
May 2023
Location:
Germany
Summary
A cyberattack exploiting a vulnerability in the "Move It" file transfer software impacted multiple financial institutions via third-party service provider Majorel Germany, which operated an account switching service. The Clop hacker group stole customer data, including personal information and bank details, affecting approximately 900 customers of Sparda-Banken and low four-digit numbers at other banks like Deutsche Bank, Postbank, and ING. Insurers also experienced data theft involving Riester contract details, though no banking credentials or passwords were compromised. The breach led to immediate security measures by affected entities, including notification of customers and termination of vulnerable data transfers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop hacker group exploited a previously undetected vulnerability in the "Move It" file transfer program, initiating a global cyberattack affecting over 260 companies and authorities between May and June 2023. Majorel Germany, a critical service provider for Germany's financial sector operating the account switching platform Kontowechsel24.de, was compromised through this vulnerability. The breach exposed customer data processed through Majorel's systems, which handled 400,000 account changes and three million bank detail conversions during the 2019 financial year. Financial regulator Bafin confirmed awareness of the incident and maintained close contact with supervised institutions but withheld operational details. The attack's impact extended to multiple German financial institutions, including cooperative Sparda-Banken, which confirmed approximately 900 customers were affected through third-party service provider data exposure during account switching procedures. Other major affected entities included Deutsche Bank, Postbank, ING, and Comdirect, with Commerzbank confirming compromise of "a few hundred" Comdirect-branded customers but not its main brand clients.
Attackers exfiltrated over 144,000 customer datasets containing personal information, with Postbank emerging as the most severely impacted institution. Insurers including Provinzial and the Bavarian Insurance Chamber also suffered data theft affecting Riester retirement contracts, with Provinzial confirming stolen customer data from Rheinland and Nordwest Lebensversicherung subsidiaries but no bank credentials or login details. The Bavarian Insurance Chamber reported compromise of personal data from 17,900 Riester policies at Bayern-Versicherung, predominantly affecting Saarland-based contracts. Majorel terminated unauthorized access upon detection and halted data transfers, while affected banks like Sparda implemented immediate customer notifications and security precautions. Data stolen from insurers included tax ID information used for queries in approximately 1,400 contracts, though operational banking systems remained uncompromised across all institutions. The incident highlighted systemic third-party risks in financial data processing chains, with stolen datasets subsequently appearing on darknet platforms following the initial breach.