Overnight accommodation service provider Numa: CCC finds collected ID data

Overnight stays with the Berlin start-up Numa are supposed to be “simple and digital” – i.e., without a reception desk and comparable interactions where travelers are dependent on the presence of other people. However, Numa's understanding of data security and data protection was probably a little too simple, as first reported by Zeit Online.

A member of the Chaos Computer Club (CCC), who used the provider, first discovered that not only were the invoice numbers correctly consecutive for accounting purposes, as the CCC also discusses in a separate press release. But also the IDs of the digital documents – and was thus theoretically able to view all the provider's invoices, including all billing-relevant customer data, by simply exchanging the ID in the web address.

CCC finds data leak

Numa also required users to upload an officially confirmed identity, such as an ID card or passport, during the digital check-in process. However, after the digital check-in on the provider's website, the CCCler also found a JSON object “with name, email address, telephone number and ID data, according to the club. We could neither comprehend – nor understand – what purpose this JSON object was supposed to serve.” According to the Chaos Computer Club, access to the identity data of third parties was also possible here.

The CCC then informed the operator and the responsible data protection supervisory authority in Berlin. According to Zeit Online, the operator also informed the Berlin data protection commissioner of the data breach. According to the Berlin State Data Protection Commissioner, the CCC notified the operator on June 5 and the company on June 6. It is unclear whether all those affected have already been informed by Numa – Zeit Online reports that the step has already been taken; according to the Berlin data protection authority, this should happen in the course of this week.

ID card data storage in hotels partially abolished since the beginning of the year

The company's reaction appears to have been swift. However, CCC spokesperson Matthias Marx sees a more fundamental problem: “The best data leak is one that cannot occur because the data was never collected. The ID card data should simply have never been processed.”

Since the beginning of the year, ID card data has been stored for German hotel guests in Germany without a legal basis and may therefore be in breach of the General Data Protection Regulation (GDPR). After the regulations for German citizens were removed from the Federal Registration Act at the beginning of the year, the Chaos Computer Club is now also calling for the repeal of the regulations on proof of identity and storage in the accommodation industry for non-Germans.

Please also read:

Topic page on data leaks on heise online

(olb)