Shopping, booking vacations, arranging doctor’s appointments, applying for a job – all of this is done online to a large extent these days. The information transmitted is sometimes highly sensitive, and the responsible service providers should normally store and manage it well protected on secure servers. In many cases, however, the reality is very different. This is the result of an investigation by the Chaos Computer Club (CCC).
This is where the data leaks lurk
In fact, all information was freely accessible and completely unprotected on the Internet. The researchers discovered the lion’s share of the data in so-called Git repositories. These are version control systems for program code and databases – a tool for the work of developers and administrators. According to the report, however, they often inadvertently save content from actively used tables and databases in their projects and make them publicly accessible without noticing.
According to the Chaos Computer Club, it discovered a lot of other user data in unprotected cloud services, with which entire databases could even be searched for keywords and the results filtered in a targeted manner. According to the report, the institutions affected by the data leaks include well-known companies such as BMW, AIDA, Deutsche Bahn, Deutsche Post and Nestlé, as well as state institutions such as the Bundeswehr and the Lower Saxony state parliament. The Chaos Computer Club has reported all finds to the respective polluters and, in particularly drastic cases, forwarded them to the Federal Office for Information Security, the responsible state data protection authorities and even the FBI.
Not all those affected responded
According to the report, the reactions were mixed. While the majority of the affected bodies thanked them for the tip and fixed the respective leak, some companies gave no feedback at all. Particularly bitter: Only three places promised to inform affected customers about the data leak. The Chaos Computer Club describes the careless handling of customer data by most companies as sobering. In most cases, it is possible to better secure the information without great effort.
Among other things, the information found included personal passenger data, names, addresses, dates of birth and telephone numbers as well as details of participation in a six-year-old competition and numerous credit card and payment data. The researchers discovered 3D denture models at a service provider for dentures. At a recruitment agency, they were given free access to letters of application, including reasons for rejection.