Hanover (dpa / tmn) - Countless personal customer data could have gotten into the wrong hands via a database of the car rental company Buchbinder, which was temporarily open via the Internet. The data concerned went back to 2003, as the trade magazine «c't» explains.
Together with the weekly newspaper “Die Zeit”, it had first reported on the incident. Both had been informed of the leak by an IT security company.
In addition to names, addresses, cell phone numbers, dates of birth, driver's license and payment, the database also contained contracts, invoices, e-mails, auto damage photos and information as well as passwords in plain text - and that of 2.5 million people from Germany alone Customers. This includes not only customers who have made bookings directly with Buchbinder, but also those from comparison portals and agents who often do not know that they have driven a Buchbinder vehicle.
Proactively obtain data self-disclosure
“C't” estimates the potential for misuse of this data and the company internals and correspondence, which were also discovered, to be high. If the responsible supervisory authorities find a violation of the General Data Protection Regulation (GDPR), a substantial fine would be payable. In addition, the experts assume that Buchbinder will also have to inform the customers concerned.
If you don't want to wait for this, you can immediately use your basic right to information and request detailed information about your personal data from Buchbinder. A corresponding sample letter has been put online by «c't».
Watch out for phishing emails
After all: The experts did not find credit card numbers in the data. But scanned invoices with account details and payment information. Affected people should therefore beware of tricksters who send targeted phishing emails and ask them to click on a link in relation to car rental bookings to store new payment information.
If you have an online account with Buchbinder, you run the risk of having your login information, including your email address and password, published. Therefore such passwords should be changed. Here too, the experts warn of phishing emails, which also prompt for links to enter new passwords.
Movement patterns and accident data
For each customer, according to the information, the database also notes when and where he picked up a car and when and where he brought it back - including kilometers driven. This could be critical for certain long-term customers, because it is possible to create rough movement patterns.
According to «c't», the accident database found in the data goes back to 2006 and includes 500,000 crashes or damages. Not only the driver information should be noted, but also sometimes the names, addresses, telephone numbers of opponents of the accident and witnesses.
BSI considers the consequences to be difficult to estimate
The Federal Office for Information Security (BSI) describes the possible consequences of the Buchbinder data leak as "hard to estimate". Years of spam and phishing waves or other forms of identity theft could result. On its website, the BSI explains how to protect yourself against identity theft - and what victims can do.
Sample letter from "c't" for requesting data self-disclosure
BSI information about identity theft