Cyber Incident Victim: Bitmarck
Date:
Jan 2023
Location:
Germany
Summary
A German health insurance IT service provider experienced a cybersecurity breach involving unauthorized access to its infrastructure via stolen credentials, compromising a collaboration platform (JIRA/Confluence). Attackers exfiltrated approximately 350MB of fragmented policyholder data and corporate information—including internal documents, project files, and employee details—later shared on the Darknet. Forensic analysis confirmed no impact on core health data systems or telematics infrastructure, with no evidence of data alteration or ransom demands. The organization implemented immediate containment measures, engaged external forensic experts, and notified affected clients while collaborating with authorities to investigate the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 19, 2023, Bitmarck, a major IT service provider for German statutory health insurers, detected unauthorized access to a portion of its IT infrastructure through its Cyber Defence Team. An external attacker used stolen credentials to briefly infiltrate a collaboration system hosting JIRA and Confluence tools, subsequently leaking company information on darknet forums. The compromised data consisted of project management files from shared customer project directories, including screenshots and documents in formats such as .csv, .html, .pdf, .img, and .xlsx. While initial assessments indicated no exposure of insured members' data or health information, later forensic analysis revealed that fragmented datasets of insured individuals had been exfiltrated. The attacker claimed possession of approximately one million records spanning password hashes, employee details, VIP client information, and executive personnel data, though Bitmarck clarified the actual volume was reduced by duplicates within the 350 MB dataset.
Bitmarck immediately activated containment protocols aligned with recommendations from Germany’s Federal Office for Information Security (BSI) and external cybersecurity advisors. The compromised system’s integrity was restored, the attack vector neutralized, and authorities notified. External forensic teams validated Bitmarck’s response measures as effective and assisted in reconstructing the incident timeline via log files, confirming the attacker’s access was limited to read-only actions between specific timestamps without data alteration. Core systems processing health data and telematics infrastructure components remained unaffected. All impacted health insurers received prompt notification, and Bitmarck initiated a high-priority internal investigation to determine why outdated data resided on the collaboration server. The company emphasized no ransom demands or direct communication with the threat actor occurred, and ongoing analysis focuses on quantifying data exposure scope while developing enhanced security controls based on investigation findings.