Germany: Private data from restaurant visits found online
August 28, 2020Millions of sensitive data entries regarding restaurant reservations, orders and coronavirus contact tracing information were found available online due to a series of gaps in the security system of a large German gastronomy services software company, according to a new report. The Chaos Computer Club (CCC) discovered the flaw, which also revealed information about various German politicians.
The Chaos Computer Club, a European association of hackers, found that the vulnerability in the Cloud software system left over 4 million data entries from the past nine years accessible to hackers. The data included more than 87,000 entries regarding contact information that are now obligatory for restaurants and bars in Germany to collect as part of the coronavirus contact tracing system.
Politicians also affected
The names and personal information of numerous German politicians also appear in the leak, reported Bayerischer Rundfunk (BR) and Norddeutscher Rundfunk (NDR). One example was a member of the Social Democratic Party (SPD) in Hamburg whose email as well as postal address were made visible, along with the fact that he met a colleague in a cafe on July 15 at 12:33 p.m.
The politician declined to comment further to BR and NDR.
Similarly, reservations made by the offices of German Health Minister, Jens Spahn, as well as the general secretary of the SPD, Lars Klingbeil, could also be found among the data.
Breach now resolved
The company, gastronovi, which is based in the city of Bremen, told BR and NDR that the gaps in their security system have now been plugged — but that the responsibility for data sovereignty was "exclusively up to our customers." Restaurants who make use of the service are supposed to delete the data entries themselves.
Gastronovi deals with 600,000 reservations each month and restaurants sales with a value of €96 million ($114 million).
Responsibility of software companies
The German federal commissioner for data protection, Ulrich Kelber, addressed the vulnerability when speaking to Tagesschau. "If a catering service provider offers to store the data, then perhaps it should also be part of the service to delete the data afterwards."
Kelber expressed his support for high fines, "so that this becomes part of the calculation of all providers. So not only: 'What does it cost me to store the data, but also what does it cost me if I don't take care of protecting this data?'"
Gastronovi confirmed in a statement given to Deutsche Welle on Friday that CCC had gained access to customer data including names, addresses, email addresses and telephone numbers. Among those, 1,237 came from digital coronavirus tracing forms. The company stated that it had contacted its direct customers and the security flaws had been resolved within hours.
"In the future, the company will pay even greater attention to the issue of vulnerability to external data and will revise the quality standards applied to date," the statement explained.