Massive data leaks at Check24 and Verivox
The Chaos Computer Club has uncovered massive data leaks at the loan brokerage services of Check24 and Verivox. At times, loan agreements could be downloaded from both comparison portals, including income information and account numbers.
"Anyone could see where the users live, how many children they have, where they work, what they earn and how much money they are currently spending on loans," CCC spokesperson Matthias Marx told the media outlet Correctiv.
Verivox announced that the data leak had been closed immediately after the CCC's tip-off. With the exception of the whistleblower, no unauthorized access to the data had been detected. "We therefore assume that no damage has been caused to our customers." The Baden-Württemberg data protection officer is investigating the incident.
Check24 initially left inquiries unanswered but, according to Correctiv, has also rectified the error, found no unauthorized access to the files and retrained its employees.
"Bumbling handling" of customer data
According to the CCC, an IT expert first discovered the vulnerabilities at Check24 in July. He then checked the competitor site Verivox and found similar vulnerabilities there. They should have been noticed during every check. According to Correctiv, he speaks of a "botched handling" of customer data: "Actually, the term 'security gap' is almost inappropriate here, as in both cases the data was simply openly accessible via the Internet."
According to the report, there was a second security breach at Check24, which required more IT expertise. According to Correctiv, customer data with download links to PDF files with loan offers from the banks were then revealed.
"They contained information such as name, gender, telephone number, email address, date of birth, nationality, employment relationship, length of employment with the current employer, how long the person has lived at their current place of residence, net household income, whether they have already taken out loans, whether they live in rented accommodation, the number of children they have and the number of vehicles they own. Further details of the loan offers were the requested loan amount, installments and account information including IBAN."
Extent of potential damage unknown
The two companies were informed via the CCC. It is unclear how long the leak lasted and how many users were potentially affected. According to Correctiv, data records of 75,000 people may have been accessible at Verivox. According to experts, however, there is no evidence that data from those affected was distributed online, traded or used criminally.
