Cyber criminals changed bank details at the Federal Employment Agency
According to the government, a total of 831 online accounts at the Federal Employment Agency were attacked. In 121 of these, the IBAN had been changed.
Unknown persons gained access to online accounts on the portal of the Federal Employment Agency (BA) at the end of March. The German government has confirmed a cyber attack in a recently published answer to a question from the AfD parliamentary group. The access data was accessed via compromised private end devices, not via the systems of the Nuremberg authority. A total of 831 accounts of benefit recipients were attacked by third parties. In 121 of these, the cyber criminals managed to change the international bank account number (IBAN).
"Of these 121 online accounts, four were in an ongoing, active benefit claim," reports the responsible Federal Ministry of the Interior. According to the current state of knowledge, however, the BA and the benefit recipients have suffered "no damage". The agency has deactivated all profiles affected by the cyberattack and prevented "any unlawful payments to third parties".
The executive is unable to say whether the perpetrators of the online attack are possibly part of organized crime. The employment agency has filed a criminal complaint. However, it does not yet have any information from the investigation. In principle, the agency cannot prevent unknown third parties from stealing access data from users of the online portal. However, since April 24, 2025, online changes to bank details have only been "substantially" possible with the BundID and the associated level of trust.
Two-factor authentication now mandatory
Since April 29, 2025, all online accounts must use a second factor to log into the agency's portal, according to the government. In addition to the BundID introduced at the BA in 2024, this form of authentication could include passkeys with a biometric process or time-based one-time passwords (TOTP). The Nuremberg authority had previously only recommended multifactor authentication.
Videos by heise
At the end of March, the BA itself initially only informed that it had currently set up a "technical maintenance page" on all online accounts due to the attack in the area of personal data. This would affect customers who wanted to reapply online for benefits such as unemployment benefit. The agency therefore temporarily asked those affected to have their data recorded at their respective office, such as a job center. In addition to the police, the Federal Data Protection Commissioner and the Federal Office for Information Security (BSI) were brought on board.
(olb)
