Major data leaks have been discovered in the credit brokerage services of Check24 and Verivox by the Chaos Computer Club (CCC). These breaches potentially exposed sensitive financial information of thousands of customers, raising serious privacy concerns.
Data vulnerability at comparison portals
The Chaos Computer Club (CCC) has uncovered significant data breaches in the credit brokerage services of Check24 and Verivox. According to the report, loan contracts, including income statements and bank account numbers, were temporarily accessible for download at both comparison portals. “Anyone could see where users live, how many children they have, where they work, what they earn, and how much money they are currently spending on loans,” said CCC spokesperson Matthias Marx to the media company Correctiv.
Verivox stated that the data leak was immediately closed after being notified by the CCC. They claim that no unauthorized access to the data was detected, except for the whistleblower. “We therefore assume that no harm has been done to our customers,” the company said. The Baden-Württemberg Data Protection Commissioner is currently investigating the incident.
Check24 initially did not respond to inquiries but, according to Correctiv, has also fixed the error. The company reported no unauthorized access to the files and has retrained its employees.
Whistleblower reports “amateurish handling” of customer data
According to the CCC, an IT expert first discovered the vulnerabilities at Check24 in July. Subsequently, he checked the competitor site Verivox and found similar security flaws there. These issues should have been apparent during any routine security check. Correctiv reports that the expert described it as an “amateurish handling” of customer data: “Actually, the term ‘security gap’ is almost inappropriate here, as in both cases the data was simply openly accessible via the internet.”
Check24 reportedly had a second security flaw, which required more IT expertise to exploit. According to Correctiv, customer data with download links to PDF files containing bank credit offers were visible. “They contained information such as names, gender, phone number, email address, date of birth, nationality, employment status, length of employment with current employer, how long the person has been living at their current residence, household net income, whether they have already taken out loans, whether they rent, the number of their children, and the number of their vehicles. Further details of the loan offers included the requested credit amount, installments, and account information including IBAN.”
Both companies were informed through the CCC. It remains unclear how long the leak existed and how many users were potentially affected. According to Correctiv, data sets of 75,000 people may have been accessible at Verivox. However, experts assess that there is no evidence that affected individuals’ data has been disseminated, traded, or criminally used on the internet.