Virtual Round Table · Jul 22

View the event
Unsafe ransomware crew claims a Deutsche Bank supplier breach as the bank denies network compromise
Cybersecurity

Unsafe ransomware crew claims a Deutsche Bank supplier breach as the bank denies network compromise

The Unsafe group published employee records it attributes to a Deutsche Bank third-party provider, the bank says its investigation found no evidence of a corporate-network compromise, and DORA's incident clock frames the whole dispute.

PublishedJuly 16, 2026
Read time7 min read
Share

Claim and denial

The ransomware group Unsafe has published a set of employee records it attributes to a Deutsche Bank third-party service provider, claiming it released the data after the bank did not meet a ransom demand. According to cybersecurity outlets covering the leak, the exposed records purportedly include email addresses, password hashes, physical addresses, employment status, and work history. The group operates a ransomware-as-a-service model built on double extortion, encrypting victims and threatening to publish stolen data. Deutsche Bank confirmed it was investigating an incident involving a third-party provider while contesting the severity of what the attackers claim to hold on their leak site.

The bank's public position is firm. Deutsche Bank strongly denied that a significant security breach occurred, stating that its investigation found no evidence of a third-party compromise affecting its corporate network and that no sensitive employee information had been exposed. The two accounts are hard to reconcile from the outside: Unsafe has posted what it presents as employee database records as proof, and the bank characterizes the matter as neither significant nor reaching its network. We cannot verify the authenticity or scope of the leaked data. What is clear is that a supplier to one of Europe's largest banks sits at the center of an active extortion claim.

Who Unsafe is

Unsafe is not a new name. Researchers first observed the group in December 2022, after which it went largely quiet through 2024, and it resurfaced with renewed activity around December 2025. Its 2026 victim list skews toward organizations in the United States, Germany, Switzerland, and France. The operation follows the now-standard double-extortion playbook, pairing encryption with data-leak threats to pressure payment, and it runs a leak site where it publishes stolen material from non-paying victims. The Deutsche Bank posting fits that pattern precisely: name a high-profile target, publish a sample as proof, and let the reputational pressure do the negotiating for the crew.

The revival of a dormant group is worth noting on its own. Ransomware brands cycle in and out of activity as operators regroup, rebrand, or return after law-enforcement attention fades, and a crew that resurfaces after a long pause often comes back with refreshed tooling and affiliates. For defenders, the practical implication is that threat intelligence keyed only to currently active groups misses the ones about to return. Unsafe's reappearance, and its willingness to target a systemically important bank through a supplier, signals a group operating with some confidence. We would treat its claims as serious enough to investigate even where the headline victim disputes the specifics.

The third-party dimension

The most instructive element is where this incident sits: at a supplier, one step removed from the bank's core network. Even in Deutsche Bank's own framing, the matter involves a third-party service provider, reportedly a marketing or peripheral platform. That distinction shapes both the real-world impact and the regulatory obligations. Employee contact details and password hashes from a supplier platform carry genuine phishing and credential-stuffing risk, and they fall short of the customer financial data that would constitute a systemic event. The exposure is real, and its severity depends entirely on what the provider held and how tightly it connected back to the bank.

This is the third-party ICT risk that regulators have spent years warning about, playing out in public. Large financial institutions run on hundreds of suppliers, and each one that processes employee or operational data is a potential leak point that lives outside the bank's own security perimeter. Deutsche Bank can run a rigorous internal program and still face a leak because a marketing vendor was compromised. The lesson enterprise leaders keep relearning is that a supplier's breach becomes your disclosure problem, your reputational problem, and increasingly your regulatory problem, regardless of how well your own network actually held up.

DORA turns this into a reporting question

The reason this incident matters beyond Deutsche Bank is that it lands squarely inside the EU's Digital Operational Resilience Act. Under DORA, a financial entity must capture third-party incidents immediately upon awareness and begin classification on detection timelines, before forensic certainty. If an incident is classified as major under the Article 18 criteria and Delegated Regulation 2024/1772, the reporting clock is tight: an initial notification within 4 hours of major-incident classification and a maximum of 24 hours from awareness, an intermediate report at 72 hours, and a final report within one month, filed to regulators including BaFin and the ECB.

Whether Deutsche Bank owed a major-incident report turns on facts the public does not have. Reportability under DORA hinges on client impact, duration, data losses, and service criticality, and a peripheral marketing platform likely avoids major status unless it supported regulated functions. A separate GDPR clock also applies, with a 72-hour window from awareness to notify authorities of a personal data breach. The point for any regulated firm is that these timelines start on awareness of a supplier incident, so the ability to detect, classify, and decide quickly has become a compliance capability in its own right, sitting alongside the security work.

The disputed-facts problem

Disputed facts are the hard part of modern breach response, and this case shows why. Deutsche Bank denies a significant compromise, Unsafe has published data it says proves one, and both statements can be partly true if a low-severity supplier platform was breached while the bank's core network stayed untouched. Regulators, customers, and employees have to make decisions during that ambiguity, and the DORA framework deliberately forces early classification so that uncertainty does not become an excuse for delay. A firm that waits for forensic certainty before starting the clock risks missing statutory deadlines that begin the moment it becomes aware.

For technology and risk leaders, the operational answer is to separate the disclosure decision from the attribution debate. You can acknowledge a supplier incident, classify it against your regulatory criteria, and notify on the required timeline while still contesting an attacker's specific claims about scope. Conflating the two, holding off on any disclosure because you dispute the hacker's numbers, is how organizations back into late-notification findings. We read the Deutsche Bank episode as a reminder that your incident process must run on your own obligations and evidence, and stay independent of whatever a leak site is asserting on any given day.

What to take from it

Regulated firms should use this as a tabletop prompt. Does your incident process trigger on awareness of a third-party breach, or only on confirmed impact to your own systems? Can you classify a supplier incident against DORA's major-incident criteria within hours, and do you know which of your vendors support regulated or critical functions well enough to make that call quickly? DORA's Articles 28 to 30 require maintaining an ICT service register and contracts that mandate vendor notification without undue delay. If your supplier contracts and registers cannot produce those answers under time pressure, the compliance gap already exists before any attacker arrives.

Beyond compliance, the durable lesson is about visibility into supplier data holdings. Deutsche Bank's difficulty in flatly refuting the leak comes in part from the challenge any large enterprise faces in knowing exactly what employee and operational data each vendor holds and how it is secured. Tightening that visibility, through data mapping, minimization of what suppliers store, and enforced notification clauses, is what lets you meet a claim like Unsafe's with facts. The attackers have made supplier platforms a favored target, and the regulatory regime has made your response to those attacks a measured, time-bound obligation.

Tagged#news#security#cybersecurity#breach#cisa#ransomware#zero-day#supply-chain#ai-security#regulation