10 Biggest Data Breaches in Germany [2026]

1. Introduction#

Germany is Europe's largest economy and one of the most-breached jurisdictions on the continent. The average cost of a data breach in Germany reached 4.9 million EUR in 2024 (around 5.31 million USD), ranking the country among the top five most expensive globally according to the IBM Cost of a Data Breach Report 2024. Since GDPR came into force, German organizations have filed more notifications than any other EU member state.

This article lists the 10 most significant data breaches in German history - from the 2015 Bundestag hack to the 2025 Samsung Germany leak - alongside reporting rules, GDPR fines and prevention patterns that apply to any organization operating in Germany.

2. Why is Germany an Attractive Target for Data Breaches?#

Germany's position as Europe's industrial powerhouse, its geopolitical role in NATO and the EU and a fragmented 16-authority data protection regime combine to produce an outsized attack surface. Attackers target German firms for high-value intellectual property in automotive, chemicals, engineering and finance. State-sponsored groups target political institutions. Mid-sized Mittelstand suppliers with weaker defenses are exploited as the entry point into larger enterprises.

2.1 Industrial Powerhouse with High-Value Intellectual Property#

Germany hosts globally recognized brands in automotive (Volkswagen, BMW, Mercedes-Benz), engineering (Siemens, Bosch), chemicals (BASF, Bayer) and finance (Deutsche Bank, Allianz). These companies hold trade secrets, manufacturing data, R&D pipelines and customer records. This concentration of high-value IP makes German organizations a priority target for financially motivated cybercriminals and state-sponsored espionage groups seeking competitive advantage.

2.2 Geopolitical Significance and State-Sponsored Threats#

Germany's role in NATO, the EU and the G7 places it in the crosshairs of state-sponsored operations. Russian-linked group APT28 (Fancy Bear) has repeatedly targeted the Bundestag and political parties. German authorities formally attributed the 2015 Bundestag hack to Russia's GRU Unit 26165 in 2020. Germany's support for Ukraine since 2022 has intensified these threats, with multiple attribution cases confirmed by the BSI and German prosecutors.

2.3 Complex Regulatory Landscape and the Mittelstand Challenge#

Germany enforces the GDPR through 16 individual state-level data protection authorities, producing a fragmented supervisory landscape. Germany's Mittelstand - tens of thousands of small and medium-sized enterprises - handles sensitive industrial and customer data but often lacks enterprise-grade cybersecurity resources. This creates a broad, uneven attack surface that cybercriminals actively exploit through supply chain and third-party vectors.

3. 10 Biggest Data Breaches in Germany#

The table below summarizes the ten largest German data breaches by scope, year and regulatory outcome. Detailed case descriptions and prevention patterns follow below.

3.1 German Credential Mega-Leak (2014)#

In April 2014, the German Federal Office for Information Security (BSI) confirmed that police in northern Germany had uncovered approximately 16 million stolen email addresses and passwords. This came three months after a similar haul of 16 million compromised credentials, making it the largest credential leak in German history at the time. Around 3 million credentials belonged to German citizens. The stolen data was actively used for unauthorized online purchases and identity fraud.

The discovery highlighted systemic password reuse and the vulnerability of online services to credential-based attacks. The BSI launched a public lookup site so citizens could check whether their credentials were compromised.

Prevention methods:

• Deploy phishing-resistant MFA like passkeys to kill credential reuse risk
• Monitor dark-web credential dumps and force resets on exposure

3.2 German Bundestag Hack (2015)#

In May 2015, the internal network of the German Federal Parliament was breached in one of the most significant state-sponsored cyberattacks in German history. APT28 (Fancy Bear / Sofacy), a unit of Russia's military intelligence service GRU, used spear-phishing emails disguised as UN communications to install malware. The attackers gained administrative access, compromised over 5,000 computers and exfiltrated roughly 16 GB of data including tens of thousands of parliamentary emails.

The entire Bundestag IT environment had to be taken offline and rebuilt. Germany formally attributed the attack to GRU Unit 26165 in 2020 and issued an international arrest warrant for Dmitriy Badin. The incident became a turning point in German cybersecurity policy.

Prevention methods:

• Enforce anti-phishing controls and phishing-resistant authentication for government users
• Apply network segmentation and least-privilege access to limit lateral movement

3.3 German Politicians Data Leak (2018/2019)#

In December 2018 a 20-year-old student from Hesse orchestrated what was dubbed the largest personal data leak of public figures in German history. Over an advent-calendar-style publishing campaign on Twitter, the attacker released stolen personal data of over 1,000 German politicians, journalists and celebrities, including Chancellor Angela Merkel and President Frank-Walter Steinmeier. The data included private phone numbers, home addresses, credit card information, personal chat records and photographs.

The perpetrator was arrested in January 2019. He had no formal computer science training and had acted alone. The case exposed weak digital hygiene among Germany's political elite.

Prevention methods:

• Enforce strong MFA on all personal and official accounts
• Run dark-web monitoring for exposed credentials tied to public officials

3.4 Knuddels.de Data Breach (2018)#

In July 2018 the popular German chat platform Knuddels.de was breached by hackers who accessed approximately 1.8 million user records, including a file of unencrypted passwords. The stolen data was published on Pastebin and Mega in September 2018. The breach was traced to an outdated backup server that had not received security updates.

The Knuddels breach triggered the first-ever GDPR fine in Germany: the Baden-Württemberg Data Protection Authority (LfDI) imposed 20,000 EUR for storing passwords in plain text, violating Article 32 of the GDPR. The authority praised Knuddels for its transparency and cooperation, establishing an important precedent for German GDPR enforcement.

Prevention methods:

• Replace plain-text password storage with modern hashing (bcrypt, Argon2) or passwordless flows
• Patch and decommission legacy backup and staging systems on a strict cadence

3.5 Mastercard Priceless Specials Breach (2019)#

In August 2019, Mastercard's German loyalty program "Priceless Specials" suffered a breach that exposed personal information of approximately 90,000 members. Two data files containing names, payment card numbers, email addresses, home addresses, phone numbers, genders and dates of birth were published on the internet. Passwords, card expiry dates and CVC codes were not included, but the exposed data still created significant fraud and identity theft risks.

The breach was traced to a third-party service provider that operated Priceless Specials in Germany. Mastercard suspended the program, took down the site and notified the German and Belgian data protection authorities. Dozens of formal complaints followed, highlighting third-party vendor risk even for large financial institutions.

Prevention methods:

• Impose security audits, breach-notification SLAs and encryption requirements on every third-party vendor
• Continuously monitor external platforms that process customer PII

3.6 H&M Employee Surveillance Breach (2014-2019)#

Since at least 2014, managers at H&M's service center in Nuremberg systematically collected details about the private lives of several hundred employees. Through "Welcome Back Talks" after sick leave and vacations, supervisors recorded health diagnoses, family issues, religious beliefs and holiday experiences. The data was stored on a network drive accessible to roughly 50 managers and used in employment decisions.

The practice was discovered in October 2019 after a configuration error briefly made the drive visible company-wide. In October 2020 the Hamburg Data Protection Authority issued a fine of 35.3 million EUR - the largest GDPR fine ever imposed by a German authority and one of the largest employment-related privacy fines in European history.

Prevention methods:

• Restrict employee data collection to what is strictly necessary and auditable
• Require mandatory GDPR training for any manager handling employee records

3.7 Scalable Capital Data Breach (2020)#

In October 2020 Munich-based online broker Scalable Capital disclosed a breach exposing personal and financial information of approximately 33,000 current and former customers. Unlike a typical external hack, the incident was an insider case: an individual with internal knowledge accessed the document archive storing copies of ID documents, tax data and bank account details. The stolen data surfaced on the dark web.

In December 2021 the Munich Regional Court ordered Scalable Capital to pay 2,500 EUR in non-material damages to an affected customer - the first legally binding GDPR compensation ruling of its kind in Europe. The court held that Scalable Capital had failed to revoke access credentials after business relationships ended.

Prevention methods:

• Enforce strict joiner-mover-leaver access controls and immediate credential revocation
• Encrypt stored ID documents and financial records and log every access

3.8 University Hospital Düsseldorf Ransomware Attack (2020)#

On September 10, 2020 the University Hospital Düsseldorf (UKD) suffered a ransomware attack that encrypted approximately 30 servers and forced it to deregister from emergency care. The attackers exploited CVE-2019-19781, a Citrix vulnerability for which a patch had been available since January 2020. The ransomware was linked to the DoppelPaymer family. A 78-year-old woman requiring emergency treatment was diverted to a hospital 30 km away and died after the delay.

German prosecutors opened a negligent homicide investigation, widely reported as one of the first cases of a death potentially linked to a cyberattack. The ransom note was addressed to Heinrich Heine University, not the hospital - the attackers appeared to have hit the wrong target. When police informed them lives were at risk, they withdrew the demand and supplied a decryption key.

Prevention methods:

• Patch internet-facing appliances (VPN, load balancers) within days, not months
• Segment clinical systems from corporate IT and maintain tested offline backups

3.9 Motel One Ransomware Attack (2023)#

In September 2023 Munich-based budget hotel chain Motel One, which operates over 90 hotels across 13 countries, was hit by the BlackCat/ALPHV ransomware gang. Motel One claimed operational impact was kept to a "relative minimum". BlackCat claimed to have extracted nearly 24.5 million files totaling approximately 6 TB, including three years of booking confirmations. Motel One confirmed that customer addresses and 150 credit card details were accessed.

Motel One engaged certified IT security specialists, cooperated with law enforcement and data protection authorities and personally notified the 150 affected card holders. The case highlighted the hospitality sector's exposure to long-retention PII datasets.

Prevention methods:

• Minimize retention windows for booking and payment data to regulatory minimums
• Deploy EDR and network segmentation to stop lateral movement early

3.10 Samsung Germany Breach via Spectos (2025)#

In March 2025 a threat actor using the handle "GHNA" published approximately 270,000 Samsung Germany customer records on a popular hacker forum. The data did not come from Samsung directly but from Spectos GmbH, a Dresden-based service-quality measurement partner that operates Samsung Germany's customer support ticketing infrastructure. Researchers at Hudson Rock linked the intrusion to infostealer credentials harvested from a Spectos employee in 2021 - credentials that remained valid and were reused nearly four years later.

The records exposed complete customer support contexts: names, email addresses, shipping addresses, order numbers, tracking details and the full content of support tickets. This combination is uniquely valuable for highly personalized phishing campaigns targeting Samsung customers. The breach is currently the top-trending German data breach story in 2025 and has renewed regulatory focus on supply-chain identity hygiene and stale vendor credentials.

Prevention methods:

• Rotate and expire vendor credentials on a strict schedule and enforce phishing-resistant MFA on all vendor accounts
• Scan continuously for infostealer-sourced credentials tied to the organization and its supply chain

4. How to Report a Data Breach in Germany#

German controllers must report a personal data breach to the competent state data protection authority within 72 hours of becoming aware of it, under GDPR Article 33. If the breach is likely to result in a high risk to affected individuals, GDPR Article 34 requires notifying them without undue delay. Critical infrastructure operators additionally notify the BSI under the BSI Act (BSIG).

4.1 GDPR 72-Hour Rule (Article 33)#

Under GDPR Article 33, a controller must notify the competent supervisory authority of a personal data breach not later than 72 hours after becoming aware of it. If notification is delayed, the controller must provide reasons for the delay. The notification must describe the nature of the breach, categories and approximate number of affected individuals, likely consequences and measures taken or proposed.

4.2 Competent Authorities: 16 State DPAs plus BfDI#

Unlike centralized jurisdictions, Germany has 16 state-level data protection authorities (Landesdatenschutzbehörden) plus the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The state DPA of the controller's main establishment (for example, Hamburg DPA for H&M Germany, Bavarian DPA for Scalable Capital) is competent. Federal bodies and telecoms fall under the BfDI. This federalized model is a deliberate feature of German data protection law.

4.3 BSI Reporting for Critical Infrastructure (KRITIS)#

Operators of critical infrastructure (KRITIS) must additionally report "significant disruptions" to the Federal Office for Information Security (BSI) under Section 8b of the BSI Act. The NIS2 directive, transposed into the BSI Act in 2025, extended mandatory reporting to more sectors including digital service providers, manufacturing and waste management. Reports follow a staged timeline: early warning within 24 hours, full notification within 72 hours and final report within one month.

4.4 Individual Notification (Article 34)#

When a breach is likely to result in a high risk to the rights and freedoms of individuals, GDPR Article 34 requires direct notification to affected persons in clear and plain language. The Knuddels, Scalable Capital and Motel One cases all triggered Article 34 obligations. Failing to notify is a common trigger for additional regulatory penalties on top of the underlying breach.

5. Trends in German Data Breaches#

Four patterns recur across the ten cases: state-sponsored operations against democratic institutions, third-party and supply-chain compromise, ransomware reaching life-safety impact and GDPR case law that creates real financial exposure. Understanding these patterns is more actionable than memorizing individual incidents.

5.1 State-Sponsored Attacks Target Democratic Institutions#

Germany stands out in Europe for the frequency of state-sponsored operations against its political institutions. The 2015 Bundestag hack, later attributed to GRU Unit 26165, and repeated attempts against political parties by APT28 illustrate that Germany's geopolitical role makes it a priority target for cyber espionage. Since Russia's invasion of Ukraine in 2022, German authorities have confirmed multiple additional attributions to Russian military intelligence.

5.2 Third-Party Vendors are a Critical Weak Link#

Mastercard Priceless Specials, Scalable Capital, Motel One and the 2025 Samsung / Spectos breach share the same root cause: compromise at a third party, not at the primary brand. Even companies with mature internal security programs remain exposed through their vendor networks. The Samsung Germany case in particular demonstrates how credentials stolen from a subcontractor years earlier can still unlock production systems.

5.3 Ransomware has Become a Life-Threatening Concern#

The 2020 University Hospital Düsseldorf attack demonstrated that ransomware on critical infrastructure is a life-safety issue, not just an IT or financial issue. Hospitals, utilities and municipal administrations in Germany have been repeatedly targeted. These attacks typically exploit unpatched, internet-facing appliances - vulnerabilities that were publicly known and had available patches for months before exploitation.

5.4 GDPR Enforcement is Reshaping Accountability#

Germany sits at the frontier of GDPR enforcement. The 35.3 million EUR H&M fine, the first-ever GDPR fine against Knuddels and the landmark Scalable Capital non-material damages ruling collectively shape how organizations across Europe approach data protection. While Ireland leads the EU in aggregate GDPR fine value (per DLA Piper's 2026 survey) and the CJEU's Österreichische Post judgment confirmed that non-material damages claims are an EU-wide remedy, Germany stands out for the combination of high individual fines, prosecutorial willingness to investigate executives and a growing body of successful individual damages claims.

6. Conclusion#

Germany's ten biggest breaches tell a consistent story: credentials are the common denominator. The 2014 mega-leak, the Bundestag spear-phish, the Knuddels plain-text passwords, the Scalable Capital insider, the Motel One ransomware and the 2025 Samsung / Spectos incident all trace back to credential compromise, credential reuse or credential-handling failures. GDPR fines of up to 35.3 million EUR, the 4.9 million EUR average breach cost, per-customer damages and criminal investigations make Germany the most unforgiving enforcement environment in the EU.

The countermeasures are equally consistent: phishing-resistant authentication like passkeys, strict joiner-mover-leaver access controls, aggressive vendor credential rotation, continuous infostealer monitoring and 72-hour breach notification readiness. Organizations that treat these as board-level priorities in 2026 will avoid both the regulatory penalties and the reputational damage that defined the last decade of German breaches.

Frequently Asked Questions#

What was the Samsung Germany data breach in 2025?#

In March 2025 approximately 270,000 Samsung Germany customer support records were leaked on a hacker forum. The data originated from Spectos GmbH, a Samsung third-party service partner. The records included full names, email addresses, physical addresses, order details and support ticket content. Investigators linked the exposure to infostealer credentials harvested in 2021 that were reused years later to access the Spectos system.

How do you report a data breach in Germany?#

Under Article 33 of the GDPR, German controllers must report personal data breaches to the competent state data protection authority within 72 hours of becoming aware. If the breach is likely to result in high risk, Article 34 requires notifying affected individuals without undue delay. Critical infrastructure operators must additionally notify the BSI under the BSI Act.

What is the largest GDPR fine ever issued in Germany?#

The Hamburg Data Protection Authority fined H&M 35.3 million EUR in October 2020 for the systematic surveillance of several hundred employees at its Nuremberg service center. It remains the largest GDPR fine ever imposed by a German authority and one of the largest employment-related privacy fines issued in Europe.

How much does a data breach cost in Germany?#

According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach in Germany was 4.9 million EUR (around 5.31 million USD). This places Germany among the top five most expensive countries globally for data breach incidents, above the global average of 4.88 million USD.

Which German authority enforces the GDPR?#

Germany enforces the GDPR through 16 state-level data protection authorities (Landesdatenschutzbehörden) plus the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for federal bodies and telecoms. The competent authority is determined by the controller's main establishment in Germany.