Data protection incident at a BVG service provider

BVG has informed all customers who are affected about the incident by letter. This means that anyone who has not received a letter is not affected. In general, only those people who were contacted or informed by us in January 2025 in connection with the “Berlin Abo” fare product may be affected.

BVG has informed the Berlin data protection authority and the customers affected about the incident. BVG is in close contact with the service provider to clarify the incident and take further steps.

The protection of personal data is a top priority for BVG. The company pays attention to certified IT security standards when selecting service providers. The incident is being taken very seriously and a comprehensive analysis is underway.

Unfortunately, an IT attack at an external BVG service provider has resulted in a data protection incident. Unfortunately, this also affected up to approx. 180,000 BVG customer data.

BVG has informed the Berlin data protection authority and the affected customers about the incident. BVG is in close contact with the service provider to investigate the incident and clarify further steps. As far as we are currently aware, sensitive information such as account data or passwords have not fallen into the hands of the hackers. A contact mailbox has been set up for queries from affected customers.

The protection of personal data is a top priority for BVG. The company pays attention to certified IT security standards when selecting service providers. The incident is being taken very seriously and a comprehensive analysis is underway.

• Name 
• Postal address 
• E-mail address, if provided 
• Customer number 
• Contract number Berlin-Abo 

No other data is affected. Account data or bank details are not affected.

We currently assume that the incident affects up to 180,000 customers.

An external BVG service provider was the target of an IT attack. We are currently working hard to analyze and clarify how this incident could have occurred despite the high standards BVG applies when selecting its service providers.

The service provider concerned and we have taken immediate action to contain the incident and prevent further damage. This includes system checks, security updates and cooperation with the Berlin state data protection authority and the Berlin police. In addition, an interdisciplinary working group was set up at BVG immediately after the incident became known to closely monitor the incident and, in particular, to categorize and respond to our customers' inquiries as quickly as possible.

Affected customers are advised to change their passwords for BVG applications.

We currently have no indications that your data has been misused. To our knowledge, no sensitive data such as account details or password information has been leaked.

Nevertheless, we recommend that you pay particular attention to unusual activities and messages (especially phishing emails) in your email inbox. Even if no password data has been leaked, you can change your password as a precautionary measure by following the process outlined below.

Please log in to your BVG account with your e-mail address and password. Once you are successfully logged in, select “Security settings”. Then click on “Change” under the menu item “Login data” and “Basic security”.

Select the “Forgotten password” link on the BVG account login page and enter your e-mail address. If you have an active SNB user account, we will send you an e-mail with further instructions.

You have probably taken out your subscription in the Customer Center and therefore don't have a BVG account. You don't need to change your password.

No.

Pay more attention to suspicious activity on your online media (e-mail, login details, etc.). 
Use strong passwords. The Federal Office for Information Security (BSI) has prepared helpful information on this.

If you can't get anywhere digitally, you can also contact our customer centers. Please note that there may be a waiting time.