Cyber Incident Victim: Versicherungskammer Bayern

On or around May 31, 2023, a cyberattack was launched against Majorel, a globally operating company. The specific target of this attack was the "MOVEit" secure file transfer platform, a product of the company Progress, which is used worldwide for the encrypted transfer of data. Majorel was a service provider for the Konzern Versicherungskammer (VKB), Germany's largest public insurer, which utilized Majorel's services for the administration of its Riester pension subsidy contracts. The attack was not discovered by VKB immediately; the company was formally notified of the breach by its service provider on June 14, 2023. The notification informed VKB that cybercriminals had successfully gained access to protected data through the exploitation of a vulnerability in the MOVEit software.

Upon being informed, VKB initiated its response. The software vendor, Progress, had already addressed the security flaw immediately upon its discovery, but the remediation could not prevent a prior exfiltration of customer data. VKB stated that it took all available data-securing measures following the discovery. In accordance with the General Data Protection Regulation (GDPR), the company promptly notified the relevant data protection authority. Additional notifications were made to the Federal Financial Supervisory Authority of Germany (BaFin), the company's distribution partners, and crucially, the individuals whose data was affected by the breach. To handle inquiries from these affected persons, VKB established a dedicated telephone hotline.

The scope of the incident was significant, impacting personal data extracted from approximately 17,900 Riester contracts held with Bayern-Versicherung, a subsidiary of the Konzern Versicherungskammer. The geographical distribution of these affected contracts was highly concentrated, with around 17,700 contracts located in the Saarland region. A further 200 impacted contracts were spread across the regions of Bavaria, Palatinate, Berlin, and Brandenburg. An additional subset of approximately 1,400 contracts was involved in a separate but related data exposure; for these, datasets containing information used for querying a tax ID number were unlawfully copied. The company provided specific assurances regarding what data was not stolen, clarifying that bank data and any potential access credentials for the Riester online registration portal—specifically login names and passwords—were not taken during the incident.

Immediately after becoming aware of the attack, VKB undertook all available measures to minimize potential harm. This included intensifying organizational safeguards to ensure that no unauthorized changes could be made to the affected insurance contracts. The company's public communications advised impacted customers to be particularly vigilant regarding unsolicited correspondence, requests, or contact attempts that seemed unusual or were not explicitly requested. Customers were further advised to inform any contacts they may have listed on their subsidy application forms about the potential for suspicious communications.

The incident stemmed from a global attack vector targeting a third-party service provider upon which VKB relied for a critical business function. The compromise did not originate within VKB's own direct IT infrastructure but rather through the supply chain, highlighting the cascading risk associated with software dependencies. The primary impact was the confirmed exfiltration of personal data, though the exact nature of all data elements taken was not fully detailed beyond the categories of information related to Riester contracts and tax ID queries. The response followed a structured protocol of regulatory compliance, stakeholder communication, and customer support, focusing on transparency and the prevention of secondary fraud attempts against the affected policyholders.