Data leak at Buchbinder
As part of a data leak at German car rental company Buchbinder, personal data of over 3.1 million customers into the network.
Buchbinder Car Rental operates on a global scale with its network of over 5000 branches spread across more than 100 countries. Last week, it was revealed that a data leak had exposed information from over 3.1 million were freely accessible on the Internet.
The German Society for Cybersecurity, led by Matthias Nehls, had identified the unprotected database as part of a routine check.
What data ended up on the Internet?
In total, over five million data records were leaked to the public. Among them are data going back to the year 2003. The personal data that became accessible included first and last names, e-mail address, phone number, address, date of birth and license plate number.
Apparently no credit card information on the net
But also bank information of the customers is apparently affected, because this was to be taken from scanned invoices. Fortunately, these did not contain any credit card information or other data that would allow third parties to directly access bank accounts.
Who is affected by the Buchbinder data leak?
But it's not just customer data that was compromised. The data leak also affects passwords of Buchbinder employees. Total 3.000 of the 170.000 passwords were read in plain text form.
Also known persons among those affected
In addition, there are sensitive data of numerous diplomats, police officers and members of the German armed forces. Politicians and celebrities, as well as the president of the German Federal Office for Information Security (BSI), Arne Schönbohm, are also affected by the data leak (cf. Bleepingcomputer.Com, "Buchbinder Car Renter Exposes Info of Over 3 Million Customers", 23.01.2020).
Customers in several countries affected
Ca. 2.5 million of the 3.1. Millions of affected customers are from Germany. In Austria, 400.000 customers affected. In Slovakia, Italy and Hungary, the data leak hit collectively ca. 114.000 customers.
Data leak fixed in the meantime
According to Buchbinder, the vulnerability was addressed and closed immediately after it became known. A contract partner of Buchbinder Rent-a-Car was responsible for the maintenance and security of the affected servers.
How did the incident occur?
But how did confidential, personal customer data end up on the web in the first place? In fact, these are data backups of the car rental company, which became freely accessible via a vulnerability of the servers to anyone who had sufficient patience to download the extensive data package.
According to experts, the company will have to answer for a DSGVO violation in the future. This concerns not only the vulnerability in the server security, but also the fact that passwords were stored unencrypted, a simple text form.
Type. 32 DSGVO defines that companies working with personal data are obliged to take appropriate technical and organizational measures (TOM) to ensure the security of the data (cf. Bleepingcomputer.Com). The extent to which the IT infrastructure was inadequately secured is not yet clear.