The German car rental company, Buchbinder, has exposed the personal information of over 3.1 million customers due to an unsecured database.
Matthias Nehls, Executive Director of Deutsche Gesellschaft für Cybersicherheit, uncovered the unsecured database as part of a series of routine scans for unprotected databases.
A report by c’t explained that the exposure was due to a configuration error on a backup server, to which Port 445 was open thus allowing access via the SMB network protocol. There was no password protection, so anyone with a web browser could access the data and download the files stored on the server.
The backups exposed over 5 million files, which included customer names, email addresses, phone numbers, addresses, dates of birth, as well as financial information such as bank details and information listed on scanned invoices.
The files also exposed passwords for employees and online portal users to which 3,000 of the 170,000 passwords were stored in plain text.
Alongside employees and customers, the database also exposed the president of the Federal Office for Information Security (BSI) Arne Schönbohm, and Police and Bundeswehr employees.
Schönbohm told ZEIT: “Unfortunately, the case shows that even very sensitive personal data are only inadequately protected. Regardless of whether – as in this case – I am personally affected or not, such cases annoy me a lot because they would be avoidable.”
From all those exposed, 2.5 million customers were from Germany, roughly 400,000 from Austria and around 114,000 from Italy, Slovakia and Hungary.
Upon learning about the breach, Buchbinder told c’t that it “arranged for the closure of the corresponding ports” by its contract partner who is responsible for maintaining and securing the servers.
In regards to potential legal consequences, reuschlaw Legal Consultants associate Stefan Hessel said: “According to Art. 32 (1) GDPR, the controller is obliged to take appropriate technical and organisational measures to protect the data in accordance with the state of the art. An essential point is to ensure the confidentiality of the data and to prevent unauthorised access by third parties.
“In this case the backups of the car rental company were unsecured and freely accessible on the net. This obviously does not correspond to the state of the art. A violation of data protection is therefore present. Furthermore, even the storage of passwords in plain text does not correspond to the state of the art. This is also a data protection violation.”
The post #Privacy: German car rental company exposes PII of over 3m customers appeared first on PrivSec Report.