November 25, 2024, 4:28 pm | Read time: 3 minutes

A massive data leak is said to have occurred at the credit agency Infoscore. The sensitive financial data of millions of people has probably been compromised.

IT security activist exposes data leak at Infoscore

A few days ago, IT security expert Lilith Wittmann published a corresponding post on her LinkedIn profile. The post reveals that she gained access to the credit reports of all individuals in Germany from Experian, the parent company of Infoscore, last weekend.

She stated that she could make “thousands of inquiries” and access each individual’s credit score along with negative records like dunning procedures or personal bankruptcies. As the Tagesschau also reported, the security vulnerability is said to have existed for several hours on Saturday, November 16.

According to its own information, Infoscore’s data collection contains around 40 million pieces of information on the negative payment behavior of more than 7.8 million people. These come from everyday consumer sectors such as mail order and banking.

Trick revealed security vulnerability at Infoscore

Wittmann explains in her post in detail that this was made possible by Infoscore partners. The online portal “Scorekompass” operated by Smava made it possible to simply state that the account had already been verified when registering new users.

This bypassed the entire “identification process using ID or bank account verification” and granted access to the individual’s credit information.

Suspicion of discrimination arises

However, Wittmann went one step further: because it was so easy to access the data, she developed a programming interface based on the security gap and then carried out reverse engineering with the scorer used.

For instance, she found that individuals aged 50 were automatically awarded 15 points more than those aged 25. Additionally, women typically receive an 11-point advantage, whereas prison inmates and individuals registered at homeless shelters are automatically assigned a significantly low score.

Data protection advocates were only informed of the breach later on

TECHBOOK contacted Infoscore and asked for statements on the current security status of the data and possible discrimination by the scorer. A response had not been received by the time this article was published. Should we receive a response, it will be provided here.

However, the company told Tagesschau that the incident is said to have occurred at “two partner companies” and is currently being investigated. Countermeasures are said to have been taken immediately. In addition, the incident is said not to have jeopardized any of Infoscore Consumer Data’s systems.

The state data protection authorities responsible for Infoscore are said to have only found out about the incident two days later, on Monday, November 18. Companies are required to report such an incident within 72 hours of discovery, or they risk incurring substantial fines.

More on the topic

Risk potential "high" Security vulnerabilities discovered in popular free password managers

Consumer Advice Center Warns Payment Provider Klarna Analyzes Customer Bank Statements

TECHBOOK explains Swatting: What is behind this dangerous internet phenomenon?

Not an isolated case with credit agencies

This is not the first time that a problem with data security has been uncovered at credit agencies. Wittmann herself writes that she gained access to sensitive information from various credit agencies three times in just two years. She describes the security gaps that led to this as “absolutely trivial.”

Only Schufa is said to have been directly spared so far, although its subsidiary Bonify already had a vulnerability. In view of the latest developments, Wittmann is of the opinion that “these companies are not suitable for processing such sensitive data.”