Deutsche Bank AG has confirmed to BleepingComputer that a data breach at one of its service providers has exposed its customers’ data in a probable MOVEit Transfer data theft attack.

“We have been made aware of a security incident at one of our external service providers, which operates our account switching service in Germany,” a spokesperson told BleepingComputer.

“In addition to our service provider, we understand that over 100 businesses in over 40 countries are potentially impacted,” the statement said, hinting that the incident is related to the wave of Clop ransomware MOVEit attacks.

“Deutsche Bank’s systems were at no time affected by the incident at our service provider,” assured the banking giant.

Germany’s state-owned bank, which is one of the largest in the world with total assets of $1.5 trillion and annual net income of $6.3 billion, said the incident had an impact on customers in Germany who had used its account switching service in 2016, 2017, 2018, and 2020.

The bank said only a limited amount of personal data was exposed due to the security incident.

The number of customers affected has not been determined, but Deutsche Bank said they have all been notified accordingly of the direct impact and precautions to take regarding their exposed data.

Meanwhile, the bank is investigating the causes of the data leak and taking targeted measures to improve its data security precautions to prevent similar incidents from affecting its customers in the future.

Deutsche Bank said cybercriminals cannot access accounts using the exposed data, but they could try to initiate unauthorized direct debits.

In response to this risk, the bank has extended the period for unauthorized direct debit returns to 13 months, giving its customers ample time to identify, report and receive reimbursement for unauthorized transactions.

Other banks impacted

According to German media, the security incident of the anonymous service provider used by Deutsche Bank also impacted other major banks and financial service providers, including Commerzbank, Postbank, Comdirect and ING.

Handelsblatt received a statement from Commerzbank confirming that the hacked service provider is “Majorel”, which has also independently confirmed that it was the target of a cyberattack exploiting a flaw in the MOVEit software.

Commerzbank told German media that none of its customers were affected, but its subsidiary, Comdirect, was indirectly affected.

Postbank limited itself to confirming the limited impact of the incident, without disclosing any customer number.

ING said it was aware of a cyberattack on a service provider that affected a “four-digit number of customers” who used account switching services.

BleepingComputer has requested comment from all affected financial service providers, but has not yet responded.