Matthias Nehls is a rather taciturn North German, the founder of the data security company Cyberscan is not prone to exaggeration. You should listen carefully when it becomes clear. "I've seen a lot of security holes," he says, "but this one is particularly nasty and fatal for everyone concerned." With his software, the 37-year-old discovered one of the largest data leaks in Germany known to date: on a server operated by the rental car company Buchbinder, the data of millions of customers from Germany and other countries had been available for weeks until this Monday. Freely accessible, unencrypted and as well sorted as a city library.
Samples and evaluations of ZEIT and the computer magazine c't show that Buchbinder's entire customer and driver database could possibly be viewed. It contains about three million driver's license numbers and the associated names; It also contains payment data, private addresses, dates of birth, mobile numbers and email addresses. At times, conclusions can be drawn about customers, for example if the car was rented by a self-help group or the driver was caught drunk at the wheel. Regular customers could create rough movement profiles based on the information on rental and delivery stations.
Among those affected are customers from all over the republic - including those who only became Buchbinder customers through rental car brokers. The database includes employees of countless companies and institutions; just the search for the term "federal office" in the tenant field of the Buchbinder database reveals more than 2,000 data records. Actors, athletes and journalists are affected; including employees of ZEIT and ZEIT ONLINE as well as c't . People who often have to protect their privacy.
Some of the data was never left digital by customers, but was first digitized by Buchbinder. Scanned contracts including signatures, including payment information, accident reports including photos; testimonies from third parties are sometimes documented. There are letters from lawyers as well as police accident reports.
Highly sensitive data that can easily be misused, for example to spy on people, to imitate their identity or to blackmail them. This risk is particularly great for employees of ministries, police authorities, the Federal Criminal Police Office or embassies. Politicians are among those affected; even those who were often exposed to hostility and even threats and have therefore already received police protection. In the database you will find your home address and your mobile number.
Robert Habeck is one of them. The Green Leader has often been victim of so-called doxings, in which attackers put personal data on the Internet. For them, open databases like Buchbinder's are a gift. When asked about the Buchbinder leak by ZEIT, Habeck only says: "I don't think it's funny."
The database also contains a former senior constitutional protection officer and Arne Schönbohm, the President of the Federal Office for Information Security (BSI). So, of all people, the man whose cyber security agency is responsible for protecting the government and ministries' IT systems. "Unfortunately, the case shows that even very sensitive personal data is always insufficiently protected," Schönbohm told ZEIT. "IT security is not rocket science, it must be the basics in business," says Schönbohm, who used to run companies himself. And: "No matter whether I am personally affected - as in this case - or not, such cases annoy me very much because they would be avoidable."
Easily avoidable, as the genesis of the Buchbinder case shows.
The data meltdown at Buchbinder is just one example of a widespread problem
Buchbinder is not a slogan. The company has been part of the French Europcar Mobility Group since 2017 and claims to be the market leader in the private customer segment.It employs 2,500 people and generated sales of around EUR 350 million in 2018. Buchbinder is a company that has been established for years and can be expected to be professional. "We take data protection seriously," Buchbinder promises on his website. Security measures have been taken to protect personal data against unauthorized access. No worries: Even email passwords from employees were unencrypted on the Internet.