The Comdirect, which is part of Commerzbank, also confirmed that criminals had access to customer data.
(Photo: imago images/Future Image)
Frankfurt The large data robbery by the hacker group Clop at numerous German banks and insurers is now also calling on the financial supervisory authorities. “The Bafin is aware of the incident. We are in close contact with the supervised companies,” a spokesman for the authority told the Handelsblatt. He declined to give details of the talks.
The hacker group had exploited a vulnerability in the “Move it” file transfer program that had gone undetected for months. In the past few weeks, more than 260 companies and authorities worldwide have fallen victim to the Clop hacker group – including a service provider from Germany that is important for the financial sector.
The service company Majorel Germany, which operates the account switching service provider Kontowechsel24.de, among other things, confirmed earlier this week that it had been the target of a hacker attack. The cybersecurity team closed the gap immediately. According to the latest information, Kontowechsel24.de carried out 400,000 account changes and converted three million bank details in the 2019 financial year.
The list of affected banks and insurance companies is getting longer every day. The most recent example is the cooperative Sparda banks. The Association of Sparda Banks confirmed that the “data incident at a third-party service provider for changing accounts” also affected some customers of the Sparda banks. “According to our information, there are a total of around 900 reported cases,” said an association spokeswoman.
The affected Sparda banks informed their affected customers “immediately” and took all “necessary security precautions”.
Deutsche Bank, Postbank, ING and Comdirect had previously confirmed that criminals had gained access to personal data via the account switching service. At ING, there is talk of a “low four-digit number” of affected customers who would have used the statutory account switching assistance.
Provincial and Versicherungskammer Bayern are also affected
Insurers are also affected by the data leak surrounding the “Move it” file transfer service. Provincial reported that in mid-June it was informed of the security gap by a company service provider who uses the software.
The list of companies affected by the data leak is growing almost every day.
(Photo: imago/STPP)
The data transfer was then stopped immediately. However, customer data from Riester contracts of the provincial Rhineland life insurance and the provincial Northwest life insurance were stolen. At the same time, the insurer emphasized that no bank details and no log-in names and passwords for the Riester online application had been stolen.
The situation is similar at Versicherungskammer Bayern. The company announced that the attack affected personal data from around 17,900 Riester contracts belonging to the Bayern insurance company, which belongs to the group. Around 17,700 of these contracts were in the Saarland business area and 200 in the Bavaria/Palatinate and Berlin/Brandenburg regions. Around 1,400 contracts were added in which data records for querying the tax ID were copied without authorization.
> >Read here: Data leak also affects customers of the direct banks ING and Comdirect
Even if the data leak affects companies across all sectors that have worked with the IT service provider Majorel hit by the cyber attack, insurers are under particular scrutiny in the event of hacker attacks. On the one hand, they often also offer prevention services to companies that take out cyber insurance with them, in order to prevent attacks as early as possible.
On the other hand, they often seem to have some catching up to do when it comes to cyber protection. The financial regulator Bafin also keeps an eye on this. At the beginning of the year, Bafin boss Mark Branson emphasized that he considers medium-sized insurers to be more vulnerable to cyber attacks than banks.
The obligation to notify also includes the reporting of serious incidents such as IT security incidents during outsourcing. Bafin spokesman
The financial regulator Bafin has long been warning of the dangers of cyber risks – and also of the risks that banks and insurers take when they commission external companies with important services, as is often the case when switching accounts. Since the end of 2022, companies supervised by the Bafin – such as banks, insurers, pension funds and fund companies – have had to report every new relevant outsourcing.
>> Read here: Cyber defense experts are becoming scarce
“Through this sector-wide notification obligation, the Bafin gets an overview of the outsourcing and also the outsourcing,” said a spokesman. In this way, the Bafin can also identify service providers who are active for many institutes – and thus also assess the risk that emanates from a service provider used by many who gets into difficulties. On this basis, the authority can also monitor a multi-client service provider.
“The reporting obligation also includes the reporting of serious incidents such as IT security incidents during outsourcing,” emphasized the Bafin spokesman. In this way, the supervisory authority can also “proactively” warn other financial companies. The Bafin has “already used this advantage of the new notification obligation in the recent past”.
More: New data leak: Thousands of companies could be affected