Cyber Incident Victim: Citycomp GmbH
Date:
Apr 2019
Location:
Germany
Summary
A Germany-based IT infrastructure provider serving major global corporations suffered a cyberattack resulting in the theft of over 500GB of sensitive financial and private client data. Attackers infiltrated the company's systems for over a month, citing inadequate security as their motivation, and demanded a $5,000 ransom while threatening public data release through a dedicated website. The compromised information affected numerous high-profile clients across industries including automotive, technology, telecommunications, and retail. The targeted firm refused payment, initiated forensic analysis, and notified all impacted organizations while cooperating with law enforcement. Multiple affected companies confirmed awareness of the breach and launched independent investigations alongside the provider. The attackers claimed exclusive responsibility for the infrastructure compromise, stating they would not pursue client organizations directly.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 30, 2019, hackers breached Citycomp GMBH, a Germany-based provider of servers, storage, and computer equipment to major corporations. The attackers exfiltrated approximately 516GB of financial and private client data totaling 312,570 files across 51,025 folders. Victims included multinational corporations such as Airbus, Volkswagen, Porsche, Oracle, British Telecom, Ericsson, Toshiba, Hugo Boss, and UniCredit, with many entries specifically referencing German subsidiaries (denoted by "GmbH" designations) and German supermarket chains REWE and Kaufland. The hackers established a dedicated website to distribute stolen data, listing affected companies and making select files available for download. They demanded a $5,000 ransom from Citycomp while explicitly stating they would not extort client organizations, attributing responsibility solely to Citycomp's "totally awful security system." Attackers using the alias "Boris Bullet-Dodger" claimed one month of unauthorized network access prior to detection and falsely announced an April 31, 2019 data release date. Forensic analysis linked the attackers' contact email to previous ransomware campaigns.
Citycomp immediately engaged law enforcement and retained Deutor Cyber Security Solutions to manage the incident response. Executive Director Michael Bartsch confirmed the ongoing attack and extortion attempt, emphasizing full transparency with all affected clients regarding the data theft and public release. The company refused ransom payment while conducting technical and forensic analysis. Multiple impacted corporations, including Volkswagen and Porsche, publicly acknowledged the breach through official statements, confirming collaborative investigations with Citycomp to determine data exposure scope. British Telecom confirmed its cybersecurity team was actively investigating but declined further comment during the initial response phase. The attackers' data distribution website displayed significant variation in file exposure per victim organization, with some entities having only 1-3 files listed while others showed hundreds. No client organizations reported paying ransoms or receiving direct extortion demands following the breach disclosure.