Berlin (dpa) - According to a media report at the car rental Buchbinder, customer data were accessible on the Internet in a large way due to a mistake.
The approximately five million files with extensive company correspondence included scanned invoices, contracts, e-mails and damage images from cars, as reported by the computer magazine «c't» and «Die Zeit».
Accordingly, the rental contracts included names, addresses, dates of birth and driver's license information.
“Die Zeit” and “c't” informed the car rental company of the Europcar Group on January 20 about the problem.
"Immediately after becoming aware of the facts, we immediately arranged for the corresponding ports to be closed by our contract partner responsible for maintaining and securing the servers," wrote Terstappen Autovermietung GmbH, part of the Buchbinder Group, in a reaction cited by the media. Buchbinder held out the prospect of a later Europcar statement.
According to "c't" and "Zeit", a configuration error in a backup server was the cause. In theory, every Internet user could have downloaded the data without entering a password - but you would have had to know the exact IP address or browsed the network for unsecured servers.
At first, there was no information as to whether the vulnerability could have been exploited. According to "c't" and "Zeit", data from Greens boss Robert Habeck and Arne Schönbohm, President of the Federal Office for Information Security (BSI) were also in the database, which was openly accessible.
"C't" and "ZEIT" received the information about the open server from IT security expert Matthias Nehls. Its company, the German Society for Cyber Security, came across the open server during routine scans. Nehls initially said that he contacted Buchbinder twice via email, but received no response. Thereupon he informed the responsible data protection officer in Bavaria and the two media.