As convenient as online banking can be, there are so many points of attack for criminals to steal sensitive data. Thousands of bank customers have now fallen victim to a data leak. TECHBOOK explains whether you could also be affected and what to do if you do.
Bank customers don’t have it easy in the digital age. Fraudsters are trying to get hold of sensitive data using increasingly sophisticated methods. Attentive customers can protect themselves to some extent from deceptively real phishing emails or SMS, but what if hackers attack the bank or its partners? On Friday, July 7, 2023, Postbank and Comdirect announced that unauthorized persons had stolen personal data through a data leak. But apparently customers of ING and Deutsche Bank are also affected, as has now become known.
Also interesting: everything about online banking
Hacker attack on software Moveit
The data leak did not occur at the banks themselves, but at the account switching service Majorel Germany, with which the financial institutions work. Since 2016, financial institutions have been legally obliged to support their (new) customers when switching accounts. This means that the banks take over, among other things, the previous direct debit orders and incoming and outgoing transfers from the old account. The banks have Majorel Germany or its subsidiary Kontowechsel24.de carry out this data transfer, which by law must be completed within a maximum of twelve business days. This company uses the Moveit software for this and this was the weak point that the hackers exploited – and probably not for the first time.
The Moveit software is used by many international companies from a wide variety of industries. As early as June 2023, the Clop blackmailer group managed a hacker attack on the British payroll service provider Zellis, which also worked with the Moveit software. Zelli’s affected customers included the BBC, British Airways, Aer Lingus, Boots, as well as the University of Rochester and the government of the Canadian province of Nova Scotia. So, the damage caused by vulnerabilities and data leaks in this data transfer software is immense. And now bank customers in Germany are also affected. However, it is not yet known who is behind the hacker attack.
This data was tapped
According to its own statements, Majorel Germany has already closed the data leak. The stolen data includes the first names, last names and IBANs of Deutsche Bank, Postbank and Comdirect customers who used Majorel’s account switching service in 2016, 2017, 2018 and 2020, according to a Deutsche Bank spokesman. At ING Germany, too, the data was probably stolen from customers whose accounts changed a few years ago. “A low four-digit number” of ING customers is said to be affected. However, according to the current state of knowledge, only the data of the statutory account switching assistance is apparently affected, a spokesman for ING confirmed to TECHBOOK, but not that of the “account switching service, which we use much more frequently”. This account switching service, which is not required by law, is an additional offer from ING for new customers. But here, too, ING works with Majorel Germany.
Although the stolen data is personal and sensitive, it is not enough for criminals to empty the account. That is the good news. However, fraudsters can use it to order direct debits. Affected customers should therefore take a particularly close look in the future and report unauthorized direct debits immediately to their bank and, if necessary, to the police. In the case of unauthorized direct debits, customers can still request their money back from the bank up to 13 months later. That too is good news.
Also interesting: Can you distinguish legitimate e-mails from phishing?
Beware of phishing emails
The bad news, however, is that affected customers are now at greater risk of fraud. They have been informed of the data leak by their banks since Friday. However, those potentially affected should now be particularly vigilant if they receive an e-mail from their (supposed) financial institution. Because with personal data such as the name and the IBAN, fraudsters can create phishing emails that look particularly real. For this reason, affected ING customers will be notified by letter, which should arrive by the end of this week at the latest. If you have received a suspicious e-mail, never open a link it contains, but try to contact your bank via another medium, for example by telephone, to verify the content of the e-mail. The Postbank, warns on their site additionally from phishing mails sent by scammers with reference to the IT changeover that took place at the beginning of 2023.
Although Comdirect has been affected by the hacker attack, the customers of the parent company Commerzbank do not have to worry based on the current state of knowledge. The customers of the Volks- and Raiffeisenbanken, as well as the savings banks, can also breathe a sigh of relief. According to their own statements, these credit institutions do not work with Majorel Germany.