Customers of various German banks have to reckon their accounts facing unauthorized direct debits following a data hack. 

A data breach in Germany is spreading with hackers having stolen the first and last names and Iban numbers of thousands of customers of several German banks.

The data theft became public last Friday when the German magazine «Spiegel» (in German) reported that an unknown number of personal customer data had been snatched from Deutsche Bank and Postbank.

Direct Debit Danger

According to Deutsche Bank, the case involves customers who had used an account switching service between 2016 and 2020. While the criminals had no direct access to the accounts of those affected, they could carry out unauthorized direct debits by using the Ibans and names of the account holders.

Unauthorized persons could also use the data in an attempt to capture further personal information via calls or e-mails, and exploit it for fraudulent purposes such as phishing and password theft.

Leak at Account Switching Service

Meanwhile, the incident is spreading to other banks. Customer data has fallen into the wrong hands at ING Deutschland and Commerzbank subsidiary Comdirect, according to a «Frankfurter Allgemeine Zeitung» (in German) report Wednesday.

The hackers didn't attack the banks directly, but rather an external account-changing service called Kontowechsel24 that helps customers wanting to switch to another bank and transfer their customer relationship.

EU Directive as Driver

In Germany, financial institutions are required by a 2016 law to support customers in switching accounts. The new bank must accept incoming and outgoing transfers and direct debits from the old account within twelve business days.

The regulations are part of the Payment Accounts Act, which transposed an EU directive into German law. No such obligations exist in Switzerland.

As digital services become more widespread, attempted fraud by hackers is also on the rise. The perpetrators use sophisticated methods and can range from private criminal groups to state-backed hackers. Financial institutions must therefore upgrade their digital banking capabilities.