According to banks, the data leak at the account switching service provider Majorel that became known in the summer affected significantly more customers than initially known. In addition, the data has now appeared on the Darknet, a hidden part of the Internet, and is probably being offered for sale there. Customers of ING, Deutsche Bank, Postbank and Comdirect are affected. ING spoke of a low five-digit number of customer data that had been stolen. Most recently there was talk of a four-digit number. The data collected includes first and last names as well as the IBAN. “We are also in close contact with the service provider as well as with the relevant data protection and law enforcement authorities. We are continuously monitoring the situation,” said a spokesman for ING.
Deutsche Bank also announced that it had been informed by an external service provider who provides legal account switching assistance for the bank that the scope of the so-called MOVEit data leaks is more extensive than announced in June 2023. All subsequently identified customers will be notified and those customers who have already been informed will be informed of the new development. The stolen data came from the years 2016 to 2020 and only concerns customers who took advantage of the statutory account switching assistance in accordance with the Payment Accounts Act. If there are suspicious bookings or unusual activity, customers should contact the bank directly. Unauthorized direct debits could take up to 13 months to be returned. The money will be refunded by the bank. Comdirect customers are also affected; these are “customer data sets in the low-digit range,” said a Commerzbank spokeswoman.
The service provider is the Majorel Germany, which operates through its 100 percent subsidiary Kontowechsel24.de Wants to make it easier for bank customers to switch from one financial institution to another. The hacker attack is due to a security flaw in the MOVEit software that affects many companies around the world. It was said in the summer that the security gap was closed immediately after it became known. A spokeswoman for Majorel confirmed that a small number of customers were affected by the hacker attack on the MOVEit software. “We closed the security gap immediately after it became known and took all necessary measures to ensure the security of our systems.” In addition, all responsible authorities were informed and criminal charges were filed.
“Critical dialogue with the service provider”
Since September 2016, financial institutions in Germany have been legally obliged to support consumers when changing accounts. The new institution must take over incoming and outgoing transfers as well as direct debits from the old account. The new account should be set up after twelve business days at the latest. The regulations are part of the Payment Accounts Act, which implemented an EU directive into German law. Providers like Kontowechsel24.de advertise a “quick and uncomplicated” change of bank details. According to one, the company led in the 2019 financial year Report from the dpa news agency It carried out 400,000 account changes using its system and converted three million bank details. The Volksbanks and Sparkassen, where the account switching service in question is not said to have been used, are not affected.
The leak shows once again that customers, even at well-known companies such as large banks, always have to expect that their data will not only be stored there, but sometimes also with service providers. Meanwhile, anger at the service provider is growing among the affected banks. “We are in critical dialogue with the service provider about the circumstances of this renewed report to us. We are not commenting further on this dialogue,” said a spokesman for Deutsche Bank. In circles at the institute it was said that they were considering hiring an auditor to investigate the events at Majorel.