When data on income and credit are almost openly available on the Internet, it is an invitation for criminals. An IT expert and the Chaos Computer Club may have prevented something worse from happening.
The Chaos Computer Club (CCC) has uncovered massive data leaks in the credit brokerage services of Check24 and Verivox. Both comparison portals temporarily allowed loan agreements to be downloaded, including income information and account numbers. “Anyone could see where the users live, how many children they have, where they work, what they earn, and how much money they are currently spending on loans,” CCC spokesman Matthias Marx told the media company Correctiv.
Verivox announced that the data leak was closed immediately after the CCC informed them. With the exception of the whistleblower, no unauthorized access to the data was detected. “We therefore assume that no damage was caused to our customers.” The Baden-Württemberg data protection officer is investigating the incident.
Check24 initially left inquiries unanswered, but according to Correctiv, it has also fixed the error, found no unauthorized access to the files and retrained its employees.
Whistleblower: “Incompetent handling” of customer data
According to the CCC, an IT expert first discovered the vulnerabilities at Check24 in July. He then checked the competitor site Verivox and found similar security holes there. They should have been noticed in every inspection. According to Correctiv, he speaks of a “clumsy handling” of customer data: “Actually, the term “security hole” is almost inappropriate here, since in both cases the data was simply openly accessible via the Internet.”
There was a second security gap at Check24, which required more IT know-how. According to Correctiv, customer data was then shown with download links to PDF files with loan offers from banks. “They contained information such as name, gender, telephone number, email address, date of birth, nationality, employment status, length of employment with the current employer, how long the person had lived at their current place of residence, net household income, whether they had already taken out loans, whether they were renting, the number of their children and the number of their vehicles. Other details of the loan offers were the amount of credit requested, installments and account information including IBAN.”
The two companies were informed via the CCC. It is unclear how long the leak lasted and how many users were potentially affected. According to Correctiv, data records of 75,000 people could have been accessible at Verivox. According to experts, however, there is no evidence that data from those affected was distributed online, traded or used criminally.
Source: Stern
