Cyber Incident Victim: Tannenhütte

Anna-Maria Staller has been theproprietor of the Tannenhütte mountain hut at 940 metres elevation near Wank since 2017. In late March 2025 an unknown actor gained unauthorized access to her user account with the payment service provider SumUp and created a business account within that system. All card payments processed at the hut after the intrusion were automatically redirected to the fraudulent account and subsequently transferred to overseas bank accounts. Staller did not notice the diversion until several days later when she reviewed her transaction records and discovered that two weeks of expected revenue were missing.

She promptly filed a police report with the Garmisch-Partenkirchen authorities, contacted SumUp’s support team, and notified the Irish financial supervisory authority that oversees the company’s European operations. For several weeks after the initial report SumUp did not provide any substantive response or communication to Staller. During this period she reached out to other small business owners who had experienced similar payment‑system compromises and began discussing the possibility of a joint legal action. The local police later stated that they had not recorded any additional fraud cases linked to card‑payment systems in the region.

Eventually SumUp’s European headquarters contacted Staller and transferred the amount of money that had been diverted, describing the payment as compensation while refusing to accept responsibility or provide details about how the breach occurred. Staller accepted the restitution but continued to publicize the incident through a video posted on Instagram, in which she described the emotional and financial strain of losing two weeks of turnover. She reported that numerous other merchants had contacted her after the video gained attention, indicating a broader concern about the security of cashless payment systems for small enterprises.