Deutsche Bank confirms a third-party vendor incident after 'Unsafe' ransomware group posts alleged employee data
The ransomware/extortion group "Unsafe" listed Deutsche Bank on its dark-web leak site and published screenshots of alleged database exports, terminal commands and employee records — email addresses, password hashes, physical addresses — as proof of a claimed breach of the bank's "internal systems" (Cybernews, 2026-07-07; Cybersecurity Insiders, 2026-07-08). Deutsche Bank's own spokesperson, in a statement carried on 2026-07-08/09, said the incident did not involve the bank's own network but instead affected a third-party company in Germany that runs a marketing and incentive platform for the bank's sales partners, with "no indication that Deutsche Bank's internal systems or networks were or are affected" (Computing UK, 2026-07-09). Researchers assessing the leaked samples said the data appears to relate to bank employees but that they could not determine whether any customer information was included.
Unsafe operates a ransomware-as-a-service, double-extortion model; after a relatively quiet 2024–2025 it re-emerged in 2026 with reported targets in Germany, the United States, Switzerland and France — the same-actor reach into this constituency's home region being the reason the item is in scope rather than the victim's name. The actual initial-access vector into the German vendor has not been disclosed by any party, and generic secondary profiling of Unsafe's tooling should be treated as unverified for this specific intrusion.
"We have been informed of a cybersecurity incident at an external service provider," the spokesperson said, adding that there was "no indication that Deutsche Bank's internal systems or networks were or are affected" and no evidence of unauthorised access to the bank's network.
Based on the available samples, it's not possible to determine whether customer data is included in the alleged breach
Defender actions
- Treat leaked employee directories (email + password hashes + physical addresses) from any vendor compromise as an active spear-phishing and credential-stuffing target list: force password resets and step up MFA/phishing-resistant auth for named employees, and brief them on tailored social-engineering attempts.
- Inventory outsourced marketing/incentive/HR SaaS platforms that hold employee PII and confirm your incident-response and breach-notification obligations account for vendor-side compromises that surface under your brand — Deutsche Bank has now been hit through third parties repeatedly.
- Track 'Unsafe' as an actor with reported 2026 targets in Germany, Switzerland and France when scoping RaaS/double-extortion threat models for EU financial and public-sector bodies.
Entities & scope
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.