Unauthorized data disclosures at Check24 and Verivox expose residential addresses and earnings details.
In a recent revelation, hackers found that sensitive user data was publicly available during credit brokering operations conducted by Check24 and Verivox. This data breach served as an open invitation to criminal elements. An insider within the Chaos Computer Club (CCC) pointed out the blatant mishandling of consumer data.
As reported by Correctiv, the CCC disclosed the existence of significant data leaks from Check24 and Verivox's credit brokering platforms. For some time, details of loan agreements, including income details and bank account numbers, could be easily downloaded from both comparison websites. "Anyone with a simple internet search could uncover where users reside, their family size, places of work, income levels, loan repayment plans, and bank account information," the CCC spokesperson noted.
Verivox quickly reacted to the breach, stating that it was immediately plugged post-notification from the CCC, and there was no evidence of any unauthorized data access, aside from the whistleblower. They claimed no harm was caused to their clients as a result of this incident. The data protection officer for the state of Baden-Württemberg is currently probing the matter.
Check24 initially ignored the issue but later rectified the problem, denying any unauthorized access to the files and re-educating their staff.
Insider Says: "Careless Handling" of Customer Data
According to the CCC, an IT expert first detected vulnerabilities on Check24 in July, followed by similar security loopholes on competitor site Verivox. These oversights should have been spotted during routine checks. The CCC's spokesman called it "reckless handling" of consumer data, asserting that 'security hole' is an understatement as the data was accessible via the internet with no protection.
A second security flaw was found on Check24, necessitating advanced technical knowledge. According to Correctiv, customer data along with download links to PDF files containing loan offers were being displayed publicly. "These files contained details like the user's name, gender, contact details, birth date, nationality, employment status, tenure with the current employer, residence length, household income, loan history, rental status, family size, and number of vehicles. Additional loan offer details included loan amount, repayment plans, and bank account information including IBAN," the CCC stated.
Both companies were informed of the issue via the CCC. The exact duration of the leak and the number of affected users remains unknown. According to Correctiv, Verivox could have potentially exposed data sets of 75,000 individuals. Experts, however, have found no evidence suggesting that the data of affected users has been disseminated, traded, or misused for criminal purposes.
The CCC's insider highlighted the issue of "hacking potential" due to the careless handling of customer data on Check24 and Verivox's platforms. The causing factor was the lack of timely identification and rectification of the vulnerabilities, which made the data easily accessible for potential hackers.
