[German]I am once again posting an unpleasant data breach on the blog that affects lessees in Europe. A reader has informed me that reduced value reports from TÜV Rheinland and Dekra inspectors are freely available on the Internet. It is therefore very easy to see when which vehicle was returned with which defects at the end of the leasing contract. Includes vehicle data and also personal data of the assessor. I reported the matter to the relevant data protection authorities in August, but nothing happened, so I am now disclosing it.
Advertising
A reader's comment triggered curiosity
A blog reader received an email that ended up in the spam filter and reached him by mistake due to a misspelled letter. It can happen. And because it was about an order, the reader wanted to find out more about this person and send them a message saying "got your order confirmation".
He asked Google search engine about the persons name, and the first hit looked promising. However, when he clicked on this hit and looked at the document that opened, he was stumped, as he wrote to me. The document looked as if it was not exactly intended for the public. Because it was an expert opinion from TÜV Rheinland.
When TÜV reports are on the Internet
At this point, the reader contacted me on August 23, 2024 and passed the case to me for further investigation. I did some quick research – in its service area at tuv.com, TÜV Rheinland probably provides appraisals on vehicles that indicate the residual value at the end of a leasing contract.
The screenshot above shows that the directory in question, in which the expert reports are saved in PDF format, is probably unprotected. As a result, search engines such as Google index the folder and then list the documents in the search results.
Advertising
And in my opinion, these documents are not intended for the public. In the above example extract, I have concealed the company address of the leasing company whose leased vehicle was inspected in May 2024 and valued at a reduced value of over 2,200 euros. On page 2, I can see further details such as the vehicle registration number and other vehicle data. Some appraisals even include photos of the vehicle registration certificate. I have also come across documents with the appraiser's personal details.
TÜV Rheinland stores or has stored all its reports with personal data unencrypted on a server. As the folder was freely accessible on the Internet, search engines such as Google can index the documents.
Wait, there's more
After the above discovery, a follow-up email was sent by a blog reader who had done a little more browsing in the search engine. Under the heading "I looked a little further …", the reader had submitted another search request to Google.
And both Google and Bing had a lot to say about vehicle appraisals and condition reports prepared by TÜV Rheinland and Dekra and posted on the Internet via carsonnet.com. Carsonnet is a company based in Poland that buys and sells vehicles. The company also has a German branch.
If you would rather have an expert opinion from Dekra instead of TÜV Rheinland, or if you are interested in what happens in Italy or other countries in this regard, you can be served – carsonnet.com makes it possible. The following screenshot shows a Dekra depreciation report for a lessor.
Same scheme as TÜV Rheinland. It even exists internationally – I've seen reports from Italy (Rome), the Netherlands, etc. It's funny to read an appraisal in Dutch, in Scandinavian languages or in Italian. A Hyundai Kona from 2019 at a price of 48,247 euros was worth just 12,088.00 euros in 2024 at 130,000 km on the odometer. The price drop for e-cars is enormous.
Reporting it to the data protection watch guard
I then reported both cases to the relevant data protection watch guard on August 23, 2024. They started an official investigation. At the same time, I had set a deadline of one month by which I wanted to receive feedback. I communicated that I planned to report on the matter in my IT blog once it had been clarified.
The data protection authority in Lower Saxony asked if I had a contact address – which I was able to provide. After the resubmission deadline had passed without event, I enquired about the status via the press departments of both LfDIs. Only the LfDI of Lower Saxony replied that the case was still under review, but that there was nothing to prevent it from being made public.
The current status is that the reports of the bodies concerned are still freely available on the Internet. As Cars on Net reports from various EU countries have been openly indexed by search engines, I assume that this data leak will not be closed in the foreseeable future.
Advertising
