Cyber Incident Victim: Deutsches Rotes Kreuz / Rotkreuzshop
Date:
Apr 2023
Location:
Germany
Summary
The German Red Cross's online shop suffered a data breach due to a security gap at an external service provider. Cyber criminals exploited the vulnerability, accessing customer data including names, addresses, email addresses, telephone numbers, and hashed login passwords. The organization informed customers and authorities, reset all account passwords, and stated that no bank details were affected by the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 23, 2023, cyber criminals exploited a security vulnerability within the system of an external service provider used by the Deutsches Rotes Kreuz (DRK) for the operation of its Rotkreuzshop.de web shop. The attackers conducted an external cyber attack, which resulted in the unauthorized access and exfiltration of customer data. The attack activity occurred over a two-day period, concluding on April 24, 2023. The DRK organization itself was not directly breached; the intrusion was solely facilitated through the security gap present at the third-party service provider.
The German Red Cross was formally notified of the security incident by its external service provider on the evening of May 4, 2023. Following this notification, the DRK initiated a forensic investigation on May 6, 2023, to determine the scope and impact of the breach. The investigation confirmed that the security vulnerability had been successfully exploited by the external attackers to read data from the online shop. The specific vulnerability was not publicly identified, and it remains unknown if it was related to the widespread MOVEit transfer software exploits occurring contemporaneously. The external service provider responsible for the web shop's operation subsequently closed the security gap.
The data breach compromised several categories of personal customer information. The stolen data included customer names, addresses, and email addresses. For some affected individuals, the data also included their affiliated DRK association and a telephone number, if that information had been provided to the shop. Login credentials for the web shop were also accessed; however, the passwords were not stored in plain text but were instead secured as cryptographic hashes. According to the DRK's assessment, no bank details or financial information were affected by this incident.
The exact number of customers impacted by the data leak was not disclosed by the DRK in its initial communications. The organization proceeded to inform its shop customers of the breach via a formal letter, which was made available on May 8, 2023. In this communication, the DRK attributed the incident to the security gap at its service provider and detailed the categories of personal data that were exposed. As a primary containment and response action, the DRK-Shop reset all customer account passwords. This action forced a password reset for every user account, requiring customers to assign a new password before they could log in again. The organization also reported the data leak to the relevant security authorities.
The DRK provided guidance to its customers on steps to minimize potential downstream effects from the breach. This guidance advised customers to change the password for any other online service where they had used the same password as their Rotkreuzshop account, as a precautionary measure. The recommendation emphasized the importance of using strong, unique passwords for different services. Customers were also advised to be particularly vigilant for spam and phishing emails, as well as for any failed login attempts to their other online accounts, noting that the stolen email addresses and telephone numbers could be used for fraudulent communications. The DRK noted that phishing attempts could often be identified by an unknown sender or the presence of spelling and grammatical errors within the message.
The incident resulted in non-material damage to the affected consumers, as their personal data was exposed to unauthorized parties. This exposure created a risk of subsequent fraudulent activities, such as targeted phishing attacks designed to harvest further sensitive information like banking credentials or to distribute malware. The legal ramifications for those affected were framed within the context of the General Data Protection Regulation (GDPR). Affected individuals possess the right to information from the company regarding the extent to which their personal data was involved in the breach. A recent ruling by the European Court of Justice (ECJ) on May 4, 2023, reinforced that claims for damages exist if immaterial damage has occurred as a result of a GDPR violation, irrespective of whether any financial damage was directly incurred. Victims also maintain the right to object to the processing of their data and to seek injunctive relief.