Data protection incident: Identity data leaked from Schufa subsidiary Bonify

Contents

Unknown perpetrators have stolen users' personal data in an attack on the credit rating information service Bonify, which is backed by the Schufa subsidiary Forteil. In a message to affected customers on Wednesday, Forteil explained that unauthorised individuals had apparently gained access to identification data. The company confirmed the incident to c't.

The Bonify service is designed to give consumers free access to their so-called Schufa basic score. It also provides information about data stored at Schufa and reports negative Schufa entries via push message if desired. Bonify also offers additional financial services such as credit brokerage or credit rating information for prospective tenants, which consumer and data protection organisations see as a conflict of interest.

Videoindent data stolen

During the attack, the perpetrators are said to have stolen documents and data processed during the Videoident procedure. According to the service, information that new users have to provide in the identification process and information that is recorded during the process was stolen. This includes ID data, address data and photos or videos that Forteil requests during identification via Videoident or has a service provider request and then store.

Forteil emphasises that no password data, current account information including stored access data or creditworthiness data has been compromised. However, Forteil has not yet announced how many Bonify users are actually affected. The service has also not yet provided any information on the period in which the affected customers registered.

"Criminal act"

According to information from c't, the perpetrators are said to be making an extortionate demand. Forteil did not provide any further details, as the proceedings have not yet been finalised. "We have been the victim of a criminal offence," a company spokesperson simply said, "and are working with the highest priority and in close cooperation with the responsible authorities and independent experts to fully investigate the attack."

The spokesperson emphasised that Forteil had informed all customers who are actually affected according to the current state of knowledge by email. The Hessian Commissioner for Data Protection and Freedom of Information (HBDI), the Federal Financial Supervisory Authority (BaFin) and law enforcement authorities have also been involved.

Serious security problem

It remains unclear exactly how the perpetrator or perpetrators proceeded. As Forteil explicitly refers to face-to-face identification data in video format, the incident only concerns the video identification process. The company handles this via the service provider ID Now. Users who have registered using their electronic ID card (eID) or a current account would therefore not be affected.

According to information from c't, however, there is currently little to suggest that the leak occurred at ID Now. Like other banks and financial service providers, Bonify is also connected to the identity service provider via an interface. For this reason alone, we can only speculate as to where exactly the leak was located and whether it was the act of an insider or whether external attackers exploited a security vulnerability.

In addition to the potential financial damage, trust in Bonify/Forteil could also suffer. Moreover, this is not the first incident the service has had to deal with. An activist had already discovered a potential security problem when the Schufa information service was launched within Bonify, which the service quickly rectified at the time. Since then, however, things have remained quiet.

However, the incident has also come at a bad time for the parent company Schufa. The credit agency is not only trying to increase consumer trust as part of its "transparency offensive", which has been propagated since 2022. It is also in the process of introducing a new scoring system and is already under particular scrutiny due to various court judgements.

What those affected should do

For the Bonify users affected, the incident could mean a lot of trouble in retrospect. For example, cyber criminals can use the ID card data to conclude contracts online in the name of the card holder. For services such as opening a bank account or concluding credit or insurance contracts in Germany, they need the original ID card, either for the eID procedure or moving images in Videoident.

For other services such as a mobile phone or internet contract, however, a picture of the ID document is often sufficient. Those affected then have to go to the trouble of clarifying the circumstances. This includes, in particular, filing a complaint and reporting the identity theft to the police.

However, it is not yet clear whether and how cyber criminals actually use the ID data. Consumers who have registered with Bonify should nevertheless watch out for suspicious emails, text and messenger messages or phone calls. It is also advisable to expect unusual transactions with accounts or contracts.

If there are any indications of data misuse, you should report it to the police without delay and report identity fraud to Schufa in order to protect your own score. Users who want to be on the safe side and whose ID documents are part of the leak have no choice but to apply for a new ID card and have the old document blocked.

In view of the costs, it is little consolation that those affected will be able to use Bonify's identity protection service free of charge for six months. The tool is designed to monitor personal data online and provide information in the event of possible identity misuse.

(vza)