Data leak hits restaurant websites; data protectionists launch investigation
After the CCC drew attention to security gaps in hundreds of restaurant ordering sites, the data protection authority is investigating the incident.
(Image: Aleksandra Suzi/Shutterstock.com)
At the end of February, the Chaos Computer Club (CCC) drew attention to serious security vulnerabilities in the websites of over 400 restaurants throughout Germany and informed the responsible IT service provider Karvi Solutions GmbH, among others. It is not yet known how many restaurant customers are affected in total. It is still unclear whether all the vulnerabilities have been fixed in the meantime. The Hamburg data protection officer Thomas Fuchs (HmbBfDI) is now investigating the case.
Vitali Pelz, Managing Director of Karvi Solution, had previously assured heise online that all loopholes had been closed and the data of those affected had been deleted from the system. He explained that a competitor had attempted to damage the reputation of a restaurant by manipulating an "order receiver API". "All available security measures have already been implemented". These suspicions could not be verified. Pelz did not respond to further inquiries.
According to a spokesperson for the HmbBfDI, however, there are still unanswered questions. The authority has also received complaints – clarification is ongoing. Who is responsible "will still have to be checked", the spokesperson said at the request of heise online.
Videos by heise
The security gaps discovered ranged from unprotected access to the backend of the websites to a freely accessible super admin database and plain text passwords that could be viewed via SQL injection. In addition, the restaurants used identical access data and billing URLs were visible. In addition to the source code, openly accessible backups contained customer data from numerous restaurant websites.
(mack)
