On January 23, 2020, news broke on one of the biggest data leaks to date in Germany. Apparently, it was possible for anyone on the Internet to gain full access to the backup of the entire database of car rental company Buchbinder. The ramifications are difficult grasp.
Not even a password stood in the way of viewing invoices, contracts and customer data. It didn’t end there, either: Information about accident reports, bank details and access data to Buchbinder was freely available.
While Buchbinder itself does stand to suffer the greatest damage to its reputation and despite publishing a statement that the leak had already been patched on January 20th, customer data including names, birthdates, telephone numbers and driver’s license numbers belonging to over three million people, from private individuals to public figures, is now in circulation. The total number of records involved is simply immense. This is because the contract data stretches back to 2003 and includes people who never signed a Buchbinder rental contract. It is not yet possible to put a number on the damage caused by this data leak.
Strengthening IT and data security by auditing configurations
The leak was made possible by a careless configuration mistake by a service provider: The TCP port 445 was accessible from anywhere in the world and entirely unprotected. We firmly believe that everyone with IT responsibilities has a duty to learn from what happened here. Existing measures in place for protecting company data should be audited on a regular basis.
At akquinet AG, SAST SUITE offers a solution for auditing the security configurations for your SAP systems. Regular, automatic audit runs help you protect your company data while maintaining the necessary level of transparency to effectively prevent unauthorized direct data outflows from your SAP systems.
Jan-Uwe Fink (SAP Security Consultant, SAST SOLUTIONS)