Miniatur Wunderland, recognized as the world’s largest model train exhibition and a major tourist draw in Hamburg, recently disclosed a “data protection incident” to many of its recent visitors. This news comes just months after a separate, physical security event in April, where an individual released irritant gas at the facility. That incident led to the evacuation of all visitors and resulted in 46 people sustaining minor injuries, though the building was cleared to reopen shortly thereafter.
The impact of this latest incident, however, is potentially far more serious and wide-ranging. Visitors who purchased tickets online over the last several months began receiving emails informing them of a cyberattack. The message from Miniatur Wunderland explicitly stated that the museum was “the victim of a cyberattack, through which unauthorized third parties may have gained access to your credit card data.” The sheer volume of visitors the museum receives annually—over 1.5 million—suggests that a substantial number of individuals could be affected.
The museum’s internal investigation indicates that the attack specifically targeted the order page of its online ticket shop. They suspect that this page was compromised, allowing credit card data to be sent not only to their designated payment provider but also, simultaneously, to a “separate server” controlled by the attackers. This method of compromise suggests a sophisticated skimming operation designed to siphon payment details undetected during the transaction process.
The timeline for the data breach is currently understood to cover online credit card orders placed between June 6th and October 29th. Given the long duration of the breach and the museum’s popularity, the total number of affected customers could potentially reach into the tens or even hundreds of thousands. While not all museum guests purchase their admission in advance online, the number of digital transactions during this period is still expected to be very high.
Miniatur Wunderland is currently operating under the assumption that all credit card information entered for online ticket shop orders during this five-month window has been compromised. The sensitive data believed to be affected includes the cardholder’s name, the full card number, the CVV security code, and the card’s expiration date. There has been no mention of the incident on dark web forums yet, but the museum has been contacted for further comment on the details of the alleged security lapse.
Reference:
