Cyber Incident Victim: Bank99

On or around May 31, 2023, a cybersecurity incident involving Bank99 became public knowledge. The incident was not a direct attack on the bank's own infrastructure but was instead the result of a broader attack on a third-party service provider. Reports confirmed that Bank99, a subsidiary of the Austrian postal service, was affected by a data leak stemming from this external attack. The service provider targeted in the attack was not explicitly named in the reporting specific to Bank99, but the incident was part of a larger pattern of attacks exploiting a specific software vulnerability.

The attack vector utilized by the threat actors was a security gap in the software known as MOVEit. Criminals exploited this vulnerability to gain unauthorized access to systems. This method of attack, targeting a widely used software application, allowed the attackers to potentially compromise multiple organizations that were customers of the same service provider or were using the vulnerable software themselves. The confirmation of Bank99's involvement came from the bank itself through statements made to the media outlet KURIER.

While the exact number of affected Bank99 customers was not disclosed in the available reports, the incident was part of a larger data theft. A separate but related article detailed a significant breach at the service provider Majorel, which specialized in account switching services. That attack resulted in the theft of more than 144,000 customer data records. Although Bank99 was not listed among the banks mentioned as being most severely impacted by the Majorel breach, the coincidence in timing and nature of the attacks suggests a possible connection or a parallel campaign exploiting the same MOVEit vulnerability across different service providers. The data stolen in these incidents included sensitive customer information. In the Majorel case, the compromised data consisted of customer names and account numbers, which subsequently appeared for sale on the darknet following the attack.

The primary impact of the incident for Bank99 was the confirmed compromise of customer data. The exposure of such information carries significant risks for the affected individuals, including potential financial fraud and phishing attempts. For the bank, the consequences included reputational damage and the operational burden of responding to the breach. The public disclosure of the incident was a reactive measure, following the discovery of the breach and the emergence of information in the public domain, such as the appearance of data on darknet markets.

In response to the incident, Bank99 took the step of publicly acknowledging the event. This confirmation, provided to a news organization, served as an initial official response. The bank's communication confirmed its status as an affected entity but did not elaborate on specific response actions taken internally, such as customer notifications, offering credit monitoring services, or enhancing its own security protocols following the third-party breach. The broader response to these attacks involved highlighting the widespread exploitation of the MOVEit software vulnerability, which impacted numerous organizations globally throughout 2023. The incident underscores the systemic risks associated with reliance on third-party service providers and the cascading effects of a single software vulnerability when exploited across a software supply chain. The theft of over 144,000 data records from a related service provider illustrates the substantial scale and serious nature of this coordinated campaign against financial service intermediaries.