Significant security flaws at two prominent comparison websites in Germany, Check24 and Verivox, have exposed sensitive customer data, including income details and loan agreements, to the open internet. The Chaos Computer Club (CCC) and an independent IT expert were instrumental in uncovering these breaches, potentially preventing more serious consequences. The exposed information could have been easily accessed by criminals, posing a substantial risk to users’ privacy and financial security.
Discovery of the Data Leaks
The Chaos Computer Club revealed that both Check24 and Verivox, two of the largest loan comparison platforms in Germany, suffered from severe data security issues. During the breach, users’ loan contracts, along with private details such as income statements and bank account numbers, were freely accessible online. CCC spokesperson Matthias Marx explained the extent of the exposure in an interview with Correctiv: “Anyone could see where the users live, how many children they have, where they work, what they earn, and how much they currently owe on loans.”
Verivox’s Response
Verivox responded quickly once notified by the CCC, closing the data leak immediately. The company claimed there was no unauthorized access to customer data, except by the whistleblower who reported the breach. “We believe no harm has come to our customers,” Verivox stated. The incident is now under investigation by the data protection authority in Baden-Württemberg.
Check24’s Response
Check24 was slower to respond, initially leaving inquiries unanswered. However, it later confirmed that the breach had been fixed and reported no evidence of unauthorized access. The company has since retrained its staff to prevent future incidents.
Whistleblower Calls Out Negligent Handling of Customer Data
The IT expert who uncovered the vulnerabilities first identified issues with Check24 in July, prompting them to investigate Verivox as well, where they found similar flaws. These security holes were so fundamental that the whistleblower described them as glaring oversights. “It’s almost misleading to call these ‘security gaps’ because the data was essentially available to anyone with an internet connection,” the whistleblower told Correctiv.
Deeper Issues at Check24
Check24 was found to have an additional, more complex vulnerability. With some technical expertise, attackers could access a second layer of customer data, which included download links to PDF files with sensitive loan offers from banks. The exposed information contained full names, gender, phone numbers, email addresses, birth dates, nationality, employment status, length of employment, household income, details about existing loans, rental status, number of children, vehicle ownership, as well as specific loan terms and bank account details, including IBANs.
The Extent of the Breach Remains Unclear
How Long Were Users at Risk?
While the CCC notified both companies and steps have been taken to secure the data, it remains unclear how long these vulnerabilities were present or how many users were impacted. According to Correctiv, up to 75,000 Verivox customers may have had their data exposed. Despite this, experts believe there is no evidence that the information was widely disseminated, sold, or used for criminal activities.
This incident highlights a severe lapse in the data security protocols of Check24 and Verivox, exposing users’ sensitive financial and personal information to the internet. While both companies have addressed the vulnerabilities, the breach underscores the need for more stringent cybersecurity measures to protect customer data and maintain trust. The swift actions by the CCC and the whistleblower prevented further exploitation, but the incident serves as a stark reminder of the potential risks posed by weak online security.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com