I actually believed that I would protect my personal data on the net to a certain extent. I think up new passwords every now and then and use - wherever possible - two-factor authentication, in which when I log in, I also have a TAN, i.e. a TAN One-time password, must be entered. Although I save data on computers in the cloud, i.e. on remote company servers, I usually encrypt it beforehand with the Boxcryptor software. But: Obviously, that's not enough if companies don't handle my data carefully.
That becomes clear to me when I meet Matthias Nehls from the IT security company Cyberscan in Flensburg. He reports to me about a data leak that he found with his software at the rental agency Buchbinder. He shows me two emails in which he already pointed out the "massive data gap" to the company in December; In his own words, he didn't get an answer, even though millions of customer data, some of which were very sensitive, were affected by the breakdown.
One afternoon in January, we sit around his meeting table, chewing fish buns and staring at a large flat screen. On the monitor: my data. They came from the database of the rental car company Buchbinder, which was freely accessible on the Internet until DIE ZEIT and the specialist magazine c't drew the company's attention to this. According to Buchbinder in his short statement, "the relevant ports were immediately closed by our contract partner, who was responsible for maintaining and securing the servers". Since then, the data has no longer been online. But no one knows who viewed them until then. The company is also silent on why it did not respond to Nehls' advice in December.
How did my data end up there?
I am surprised that I am in the Buchbinder database at all. I don't remember ever renting a car from Buchbinder. But my name appears on the screen - also my private address, my mobile number, my date of birth and my driver's license number. With a little bit of searching, the scan of my rental agreement could also be found; a large number of such scans were visible on the server. Data that customers have left with Buchbinder in analog form and that the company has then digitized and saved.
I am perplexed - and ask myself: How did the data actually end up there, when I remember that I never rented a car from Buchbinder? Even if I search my mail account for Buchbinder, there is nothing - no booking confirmation, no invoice. The search for the answer explains a lot about the business of rental car companies that are bustling in the confusing market - Buchbinder, a subsidiary of Europcar, is only one of many providers, but according to its own account it is the largest in the private customer segment. How did I get to him?
The information from the leak will help. They contain all information about my loan. On September 12, 2018, I picked up the car - a Ford Focus, color: iridium black - in Solingen, and returned it in Hamburg on September 13. I remember the day well: I had an appointment in the mountainous country and then went on to Cologne. I needed the car because I had to go back to Hamburg in the late evening, where I left the Ford the following day.
The data is enough to search my mailbox in more detail: I find the right booking, it dates from September 6, 2018. However, I made it at the online portal billiger-mietwagen.de, a portal of the company SilverTours from Freiburg, where car rental prices and different car types are compared Let provider book. According to the booking confirmation, the provider I chose is: CarDelMar, a company that in turn belongs to the US-American Expedia group - and, like the platform billiger-mietwagen.de, does not have a fleet of its own, but brokers rental cars. Such brokers book large quotas from the rental car companies and often get them cheaper.