Data protection incident at a BVG service provider

BVG has informed all customers affected by the incident by letter. The letters were sent out from May 9. In general, only those persons who were contacted or informed by us in January 2025 in connection with the “Berlin Abo” fare product may be affected.

The protection of personal data is a top priority for BVG. The company pays attention to certified IT security standards when selecting service providers. The incident is being taken very seriously and an extensive analysis is underway.

Unfortunately, an IT attack at an external BVG service provider has resulted in a data protection incident. Unfortunately, this also affected up to approx. 180,000 BVG customer data. 

BVG was informed of the extent of the data loss by the external service provider at the end of April. As soon as the incident was fully assessed and its dimensions were clear, BVG informed the responsible data protection authority on April 30, 2025. Since then, BVG has been in close and constructive contact with its experts.  

At the same time, all necessary steps were taken to inform potentially affected customers transparently and quickly. The information letters began to be sent out on May 9, 2025. 

BVG is in close contact with the service provider to investigate the incident and clarify further steps. As far as we are currently aware, no account data or passwords have fallen into the hands of the hackers. We currently have no indications that this data has been misused. 

A contact mailbox has been set up for queries from affected customers. 

The protection of personal data is a top priority for BVG. The company pays attention to certified IT security standards when selecting service providers. The incident is being taken very seriously and an extensive analysis is underway.

• Name 
• Postal address 
• E-mail address, if provided 
• Customer number 
• Contract number Berlin-Abo 

No other data is affected. Account data or bank details are not affected.

We currently have no indications that your data has been misused. To our knowledge, no personal data within the meaning of Art. 9 para. 1 GDPR (special categories of personal data, so-called sensitive data) such as account data and password information have been leaked.

We currently assume that the incident affects up to 180,000 customers.

An external BVG service provider was the target of an IT attack. We are currently working hard to analyze and clarify how this incident could have occurred despite the high standards BVG applies when selecting its service providers.

The service provider concerned and we have taken immediate action to contain the incident and prevent further damage. This includes system checks, security updates and cooperation with the Berlin state data protection authority. In addition, an interdisciplinary task force was set up at BVG immediately after the incident became known to closely monitor the incident and, in particular, to categorize and respond to our customers' inquiries as quickly as possible.

We currently have no indications that your data has been misused. To our knowledge, no sensitive data in accordance with Art. 9 para. 1 GDPR, such as account data and password information, has been leaked. 

Nevertheless, we recommend that you pay particular attention to unusual activities and messages (especially phishing emails) in your email inbox. You can find helpful checklists on the website of the Federal Office for Information Security.  

Even if no password data has been leaked, security experts advise changing passwords as a precaution in the event of a data incident. To change the password for your SNB account, you will find all the important information under the question “Where and how can I change my password?”. 

It is not necessary to change the contract account in Abo-Online for the subscription data or a new customer number. 

Both the service provider and BVG have filed a complaint with the police. You also have the option of filing a complaint - the decision is up to you. If you yourself notice any signs of misuse of your data (e.g. unauthorized contract conclusions, credit rating requests, etc.), we recommend that you report the incident to the police immediately.

Please log in to your BVG account with your e-mail address and password. Once you have successfully logged in, select “Security settings”. Then click on “Change” under the menu item “Login data” and “Basic security”. 

Select the “Forgotten password” link on the BVG account login page and enter your e-mail address. If you have an active SNB user account, we will send you an e-mail with further instructions.

You have probably taken out your subscription in the Customer Center and therefore don't have a BVG account. You don't need to change your password.

No.

• As a general rule, you should always be vigilant and attentive: Watch out for suspicious activity, such as suspicious e-mails, post or phone calls requesting further personal information or unusual requests for payment. It also makes sense to regularly check bank statements, online accounts and email accounts for irregularities. The German Federal Office for Information Security (BSI) has prepared helpful information on this. 
• Use strong passwords. The Federal Office for Information Security (BSI) has prepared helpful information on this. 

If you can't get anywhere digitally, you can also contact our customer centers. Please note that there may be a waiting time.

Yes, the letter with the subject “Information about a possible breach of the protection of your personal data in accordance with Art. 34 DSGVO” dated 5.5.2025 is from the BVG.