The Bavarian State Commissioner for Data Protection and the State Commissioner for Data Protection in Baden-Württemberg are facing extensive audits: A security expert has discovered critical security gaps at the comparison portals Verivox and Check24. Tens of thousands of customers are said to be affected by the data leaks. The Chaos Computer Club even speaks of a "super disaster".
Security gaps at Check24 and Verivox
The data leaks were discovered by an IT security expert who wishes to remain anonymous. In an interview with the investigative portal Correctiv, the IT expert explained that he first stumbled across the security vulnerability at Check24 and then discovered a similar leak at Verivox. "No in-depth technical understanding was required to exploit the security gaps," said the whistleblower.
Check24 and Verivox are comparison portals where consumers can compare electricity and gas tariffs or credit conditions, for example. If the consumer finds what they are looking for, Check24 or Verivox can arrange the contract if desired. In doing so, the two companies collect a considerable amount of personal data that is required for the conclusion of the respective contract. The data is also passed on to the intermediary company. Check24 and Verivox receive a commission for the conclusion of the contract.
Data breach in credit brokerage
As Correctiv reports, the security vulnerability occurred in the credit comparison section of both portals. Interested parties who were logged in as guests received their personal offer via a URL. Anyone who changed the number at the end of the URL up or down could view the personal offer for a third person. At Verivox this was possible without a password request, at Check24 with. However, the same password was used for all customers there.
In this simple way, the IT expert was able to view other people's data records. This included sensitive information such as address, monthly salary, number of children and employer. The whistleblower informed the two companies via the Chaos Computer Club: Check24 on July 29 and Verivox on August 20.
"It's remarkable that two such large portals, which do nothing more than collect data and pass it on to banks, are making such rookie mistakes that shouldn't actually happen," explains Matthias Marx from the Chaos Computer Club in an interview with Correctiv.
Reading tip: Irish Data Protection Commission initiates AI proceedings against Google
Investigations by data protection authorities already underway
Check24 and Verivox confirmed the security gaps at Correctiv's request. According to both companies, the security gaps have been closed and the developers responsible have received additional training. The extent to which there were previously deficiencies in the technical and organizational measures will be revealed by the investigations of the responsible data protection authorities.
Check24 is based in Munich, and the Bavarian State Commissioner for Data Protection is responsible for the company. Verivox is based in Heidelberg and is being investigated by the Baden-Württemberg State Commissioner for Data Protection. Above all, the companies must now prove whether data was tapped through the security gaps. The two companies have not yet been able to provide any information on how long the security gap existed and how many people may have been affected. This will now also be part of the data protection authorities' investigation.
Source: Credit brokerage at Check24 and Verivox: Critical data leaks discovered - Correctiv article