Overview
- A forensic review on Nov. 3 found malicious code in the online ticketing flow that skimmed data en route to the payment provider.
- Card payments made between June 6 and Oct. 29, 2025 are considered affected by the compromise.
- Roughly 30,000 to 35,000 customers were notified by email and advised to block their cards and monitor account activity.
- Exfiltrated data included full cardholder name, number, expiry date and CVV, with no current indication of other personal data exposure, and PayPal transactions were not affected.
- Compromised systems were cleaned and replaced within 72 hours, the case was reported to police, the BKA and Hamburg’s data-protection authority, and investigators continue to probe the origin after a tip from a card company.