Deutsche Bank and Postbank have notified their customers about a security gap at one of their service providers, which resulted in a leak of sensitive data. The breach was caused by attackers exploiting a software vulnerability, according to a letter sent to those affected. The leak only affected customers who used the account switching service of both banks between 2016 and 2020. The number of affected individuals is unknown at this time.
The leaked data includes customer names and IBANs, though Deutsche Bank has assured that the criminals cannot access customer accounts with this information alone. However, they can carry out unauthorized direct debits using the stolen data. Additionally, unauthorized individuals may attempt to obtain further personal data through phishing and password scamming.
Both banks are advising their clients to closely monitor their transactions and account statements in the coming weeks. If any suspicious activity is noticed, affected customers are encouraged to contact their bank immediately. If a direct debit is observed that the customer did not initiate, Deutsche Bank recommends taking action promptly. Unauthorized direct debits can be reclaimed from the bank within 13 months, and the funds will be refunded. Reporting suspicious debits to the police is also advised.
The data protection authority in North Rhine-Westphalia stated that it is unclear if the companies responsible for the breach have already reported the incident, which is mandatory under the General Data Protection Regulation (GDPR).
The security gap has reportedly affected over 100 companies in more than 40 countries. It is currently unknown which service partner and program are involved, as well as the extent of the potential damage. However, immediate measures have been implemented to prevent further incidents.
Postbank had planned to migrate all of its 12 million customers to a joint IT platform with Deutsche Bank in early July. The leaked data is said to be unrelated to this migration.
