Cyber Incident Victim: Planfocus
Date:
May 2023
Location:
Austria
Summary
A cyber attack targeted Planfocus, a service provider for Diebold Nixdorf's cash cycle optimization systems. The incident affected a data center hosting the platform, which uses statistical data like ATM IDs and cash withdrawal volumes to forecast cash needs for bank ATMs. While the provider's statistical information was potentially compromised, no customer data was exfiltrated and the physical cash supply was never at risk. The system was restored after the provider switched to another data center.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 23, 2023, a cyber attack occurred targeting a data center utilized by the service provider Planfocus. This incident was confirmed by spokespersons for Diebold Nixdorf, a major manufacturer of automated teller machines (ATMs) and banking systems. Planfocus provided a critical service for Diebold Nixdorf, operating the Cash-Cycle-Optimization (CCO) system. This system was responsible for generating forecasts and optimization data for the distribution of cash to ATMs. It functioned by analyzing historical and statistical experience data to predict how much cash a specific ATM would dispense over a certain period, thereby enabling efficient cash logistics and replenishment for bank customers.
The attack was directed against the infrastructure within the Planfocus data center, specifically targeting servers and components. The exact nature of the attack, such as whether it involved ransomware, a system intrusion, or another method, was not publicly disclosed by the sources. Similarly, the identity of the threat actors responsible for the attack remained unknown at the time of the reporting. Law enforcement authorities had been notified and were involved in the investigation, but no claims of responsibility or attributions to specific groups were made. The incident was detected and became known to Diebold Nixdorf, which then proceeded to inform its banking customers about the event through a formal communication.
The primary impact of the incident was on the availability and integrity of the CCO system hosted by Planfocus. The attack disrupted the normal operation of this optimization platform. However, Diebold Nixdorf and its spokespersons consistently emphasized that the actual physical cash supply to ATMs was never endangered at any point. The distinction was made that the attack compromised a supporting optimization service rather than the core systems that directly control the dispensing of cash or the logistics of cash-in-transit deliveries. The core function of providing cash to customers through ATMs continued uninterrupted throughout the event.
Regarding data impact, the potentially compromised information consisted of statistical and operational data necessary for the CCO system's function. This data included automated teller machine identification numbers, the addresses of bank branches where ATMs were located, historical data on the quantities of cash withdrawn from individual machines over time, and information pertaining to the frequency of cash delivery visits to each device. Diebold Nixdorf explicitly stated that no customer data was affected in the incident. Furthermore, based on their knowledge at the time, they reported that there had been no actual exfiltration or leakage of the statistical data itself; the concern was solely about the potential for such data to have been accessed.
The response to the incident involved immediate containment and recovery actions undertaken by the service provider, Planfocus. To restore service, Planfocus apparently failed over to an alternative data center, migrating the CCO system to this new infrastructure. This action allowed the system to return to normal, disruption-free operation relatively quickly after the attack. During the outage period when the primary system was unavailable, the crucial cash optimization calculations were performed manually to ensure that cash logistics operations could continue without relying on the automated forecasts. This manual workaround prevented any significant degradation in the service provided to banks.
Diebold Nixdorf's role in the response was primarily communicative and coordinative. The company informed its clients of the situation and worked with the service provider to understand the scope and impact. The company stated it had not experienced any further direct impacts from the attack on its own operations. An inquiry from a media outlet to Planfocus for additional comment on the specific effects of the cyber attack went unanswered, leaving the detailed technical response and full extent of the compromise on the provider's side unclear. The incident highlighted the vulnerabilities within supply chains, particularly when critical infrastructure services are outsourced to third-party vendors.
The broader context of the incident places it within a pattern of frequent cyber attacks targeting the financial sector. The reporting noted that such attacks occur daily and that financial institutions and their service providers are common victims. This event was contemporaneous with other significant cyber incidents in the region, including an attack that took the IT systems of Deutsche Leasing, a leasing company for savings banks, offline in early June and a separate IT security incident at an in-house IT service provider for a major newspaper that affected its printing operations. The incident involving Planfocus and Diebold Nixdorf served as another example of the persistent threats facing financial infrastructure and its extended network of suppliers. The full technical details of the attack vector, the specific containment measures taken by Planfocus beyond the data center migration, and the final forensic findings from the investigation were not revealed in the available source material.