The Chaos Computer Club (CCC) has revealed a massive data leak at the credit brokerages Check24 and Verivox. Loan contracts could be temporarily downloaded from both comparison portals, including income information and account numbers. “Everyone can see where users live, how many children they have, where they work, what they earn and how much money they are currently spending on loans,” said Matthias Marx, CCC spokesman for the non-profit organisation Correctiv.
Advertisement
Verivox said the data leak was closed immediately after it was reported by the CCC. With the exception of the whistleblower, no unauthorized access to the data was found. “We therefore believe that our customers have suffered no damage.” Baden-Württemberg data protection authorities are investigating the incident.
The new EU Commission: who should be responsible for what?Check24 initially left inquiries unanswered, but according to Corrective, it also fixed the error, found no unauthorized access to the files and retrained its staff.
The “bumbling handling” of customer data.
According to the CCC, an IT expert initially discovered the vulnerabilities at Check24 in July. He then checked the competing site Verivox and found similar security flaws there as well. They should have been noticed in each inspection. According to Correctiv, he speaks of “loose management” of customer data: “In fact, the term ‘security gaps’ is almost inappropriate here, since in both cases the data was freely available on the Internet.”
There was a second security flaw at Check24, which required more IT information. According to Corrective, customer data was shown with download links to PDF files with loan offers from banks. “They included information such as name, gender, telephone number, email address, date of birth, nationality, employment relationship, period of employment with the current employer, how long the person has been living at their current residence, net household income, whether they have already taken a loan, whether they are living on rent, the number of their children and the number of vehicles they own. Additional details of the loan offers included the loan amount applied for, installments and account information including IBAN.”
Both companies were briefed on the CCC. It is unclear how long the leak lasted and how many users were potentially affected. According to Corrective, records of up to 75,000 people may have been accessible at Verivox. According to experts, there is no evidence that the data of the affected people was distributed online, traded or used in a criminal way.
(Mac)
Data protection officer complains: Berlin police have 7.5 million processes in storage
