Big Data Leak at German car rental Buchbinder

[German]There is another huge data leak to be report within the last 24 hours. A data leak has occurred at the German Buchbinder car rental company, where personal data of three million customers was stored on an open server.


Buchbinder is one of the largest German car rental companies – you can often see their small trucks when people move into another house. And at this company, there was probably one of the biggest data leaks in the history of the Federal Republic of Germany: personal data of three million customers of Buchbinder car rental company were on the net for weeks without protection, including addresses and telephone numbers of celebrities and politicians. Accident reports as well as e-mails and access data of employees of the Buchbinder Group were also accessible.

Findigs from a security researcher

German IT magazine c't and German News Paper DIE ZEIT were informed about the open server by IT security expert Matthias Nehls. His company "Deutsche Gesellschaft für Cybersicherheit" had discovered the open SMB port during internet routine scans. Nehls initially contacted Buchbinder twice by e-mail, but according to his own statements, he received no reply. The IT expert then informed the responsible state data protection officer in Bavaria as well as c't and DIE ZEIT.

10 TByte data, 5 million records

The ten terabytes of data accessible via the open server contained over five million files. These included files with extensive company correspondence, including scanned invoices, contracts, e-mails and damage reports from cars. The nine million rental contracts in the data set contained not only the names of tenants but also those of drivers, addresses, dates of birth, driver's license numbers and dates of issue.

Many customers also provided mobile phone numbers and e-mail addresses. Credit card numbers were not found in the database, but payment information and bank details were found on PDF scans of invoices. In addition, it appeared that the complete MSSQL company database could be accessed without a password request.

On January 20, 2019, c't and DIE ZEIT informed Buchbinder of the data leak: "Immediately after becoming aware of the facts, we immediately arranged for the closure of the relevant ports by our contractual partner commissioned with the maintenance and securing of the servers," wrote Terstappen Autovermietung GmbH, a member of the Buchbinder Group.


From a legal point of view, such an open server is an almost catastrophic violation of the GDPR regulations. If the responsible supervisory authorities were to determine a violation of the DSGVO, a very high fine would be due. Heise has published this German c't article on the facts of the case and much more information.

Similar articles:
Microsoft Data Leak: 250 Mio. Call Center records left public
PussyCash data leak affects thousands of erotic models worldwide'
IoT provider Wyze admits data leak
Data leak at Palo Alto Networks
Adobe Creative Cloud: 7.5 Million account records leaked

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *