2024-09-19 01:09:42
Criminals can do a lot of damage with data on income and credit. An IT expert and the Chaos Computer Club may have prevented something worse from happening.
The Chaos Computer Club (CCC) has uncovered massive data leaks in the credit brokerage services of Check24 and Verivox. Both comparison portals temporarily allowed loan agreements to be downloaded, including income information and account numbers. “Anyone could see where the users live, how many children they have, where they work, what they earn, and how much money they are currently spending on loans,” CCC spokesman Matthias Marx told the media company Correctiv.
Verivox announced that the data leak was closed immediately after the CCC informed them. With the exception of the whistleblower, no unauthorized access to the data was detected. “We therefore assume that no damage was caused to our customers.” The Baden-Württemberg data protection officer is investigating the incident.
Check24 initially left inquiries unanswered, but according to Correctiv, it has also fixed the error, found no unauthorized access to the files and retrained its employees.
According to the CCC, an IT expert first discovered the vulnerabilities at Check24 in July. He then checked the competitor site Verivox and found similar security gaps there. They should have been noticed in every check. According to Correctiv, he speaks of a “clumsy handling” of customer data: “Actually, the term ‘security gap’ is almost inappropriate here, since in both cases the data was simply openly accessible via the Internet.”
There was a second security gap at Check24, which required more IT know-how. According to Correctiv, customer data then appeared with download links to PDF files with loan offers from banks. “They contained information such as name, gender, telephone number, email address, date of birth, nationality, employment status, length of employment with the current employer, how long the person has lived at their current place of residence, net household income, whether they have already taken out loans, whether they live in rented accommodation, the number of their children and the number of their vehicles. Other details of the loan offers were the amount of credit requested, installments and account information including IBAN.”
The two companies were informed via the CCC. It is unclear how long the leak lasted and how many users were potentially affected. According to Correctiv, data records of 75,000 people could have been accessible at Verivox. According to experts, however, there is no evidence that data from those affected was distributed online, traded or used criminally.