Deutsche Bank confirms third party breach exposed customer data through MOVEit vulnerability

Deutsche Bank has confirmed that a data breach on one of its service providers has resulted in the exposure of customer data.

The attack is likely due to a MOVEit Transfer vulnerability data-theft attack

Deutsche Bank's own systems were not affected, and the breach impacted customers in Germany who used the bank's account switching service in specific years, with only a limited amount of personal data being exposed.

The number of impacted clients has not been publicized, but Deutsche Bank stated that they have all been informed and advised what precautions should be taken.

Update - Part of the stolen data was leaked in July of 2023. The leaked data include customers’ names and International Banking Account Numbers (IBAN) for individual customers in Germany who used the service in 2016, 2017, 2018, and 2020. Although threat actors cannot access the customers’ accounts, the leaked details could allow them to initiate unauthorized direct debits.
Subsequently, Deutsche Bank AG extended the unauthorized direct debit returns window to 13 months, granting customers more time to discover and report fraudulent transactions for a refund.

Per research of German media, the security incident on the unnamed service provider used by Deutsche Bank has also impacted other german banks and financial service providers. A statement from Commerzbank confirmed that the breached service provider is 'Majorel,' who also independently confirmed that it had been the target of a cyberattack.