Major data leak: Sensitive credit rating data freely available online
There has been a data leak at one of Germany's most important credit agencies. The creditworthiness data of almost eight million consumers is affected.
(Image: TierneyMJ/Shutterstock.com)
The creditworthiness data of millions of consumers, including information on dunning procedures or private insolvencies, was freely accessible online for several hours at the weekend. This was due to a major data leak at one of Germany's most important credit agencies, infoscore Consumer Data GmbH (ICD) from Baden-Baden, which is part of the Experian Group. Like Germany's best-known credit agency, Schufa, infoscore assesses the solvency of consumers.
The data leak was uncovered by activist Lilith Wittmann. "On the weekend, I had access to the credit reports of everyone in Germany at Experian (previously Arvato Infoscore). This means I was able to make thousands of inquiries and received a credit score and negative characteristics for each person (such as information on dunning procedures or personal insolvencies)," she wrote in a LinkedIn post. Several million consumers were presumably affected by the data leak. According to the company, infoscore's data pool contains almost 40 million pieces of up-to-date information on the negative payment behavior of over 7.8 million consumers.
Identification process easily circumvented
According to Wittmann, it was possible to access the creditworthiness data via a portal called "Score Kompass" operated by the credit broker Smava. According to the hacker, it was easy to bypass the identification process using ID or a bank account when registering and she was given "direct access to the person's score". She then relatively quickly built a programming interface based on the gap and used it to obtain further information about Arvato's scorer. According to Wittmann, she learned, for example, that "if you are 50 years old instead of 25, you simply get 15 points more across the board. If you are in prison or registered in a shelter for homeless people, you get a very, very bad score based on your address and women get 11 points more".
According to a report by tagesschau.de, Infoscore stated that it had been informed of "a suspected IT security incident at two partner companies" and had launched an investigation. "As far as we are currently aware, these are cases that have not affected or compromised any of Infoscore Consumer Data's systems," said a company spokesperson.
Just a few days ago, Wittman had uncovered a data leak at another credit agency. The activist used a prominent victim to show that the start-up "it's my data" was able to elicit information about the payment behavior of prominent politicians relatively easily. Last year, she claims to have obtained credit rating information on former Health Minister Jens Spahn from the Schufa app Bonify. Wittman therefore concludes: "If I get access to data from various credit agencies three times in two years – thanks to absolutely trivial security loopholes –, then you can only conclude that these companies are not suitable for processing such sensitive data."
(akn)
