The Bonify app has recently become available. With it, Schufa entries can be viewed. But right after the start there was the first data leak – a disaster for the Schufa subsidiary.
Recently, the Schufa subsidiary Bonify was still largely unknown. But that changed abruptly last week – since Schufa and its subsidiary announced that consumers will in future be able to view their Schufa score online free of charge using the Berlin start-up’s app. Even if the reporting in the German media was initially reserved and often critical, the app quickly became popular. A few days ago, the finance app even made it to number 2 in the download charts.
At the weekend, however, it became apparent that the company may have serious problems with IT security. The IT security expert Lilith Wittmann claims to have managed to get credit reports from strangers via a digital gateway in the Bonify app and to manipulate them in such a way that a name could be assigned a different credit rating. Such credit reports are necessary in order to get mobile phone contracts and loans or to present yourself as a solvent tenant when looking for an apartment. Wittmann initially reported on this on Twitter on Saturday.
“Unsuitable to process such data”
The IT expert could NDR and “Süddeutsche Zeitung” (“SZ”) then show in several cases how they were able to exchange names and other information during the identification process in the app in order to create manipulated proof of creditworthiness. According to Wittmann, this is a data protection disaster that shouldn’t have happened: “The security gap at Bonify shows me that the company does not have an absolutely fundamental understanding of IT security and is unsuitable for processing such data,” says Wittmann NDR.
Schufa and its subsidiary Bonify have now admitted that the data leak actually existed. Wittmann had “discovered a gap that could be exploited to exchange one’s own address with someone else’s,” said Schufa in a statement for NDR and “SZ”. According to the Schufa, no Schufa data were affected by this “gap”, but only those of the Schufa competitor Boniversum, a credit agency based in Neuss in North Rhine-Westphalia. “While Boniversum delivered a score based on the manipulated data, data from Schufa was never transmitted to Bonify,” says Bonify boss Andreas Bermig: “Because Schufa uses higher security standards.”
The fact that Bonify also uses data from a Schufa competitor can be explained by the history of the Berlin start-up: Before it was bought by Germany’s largest credit agency last year, the company had to get creditworthiness data from another source in order to be able to offer its financial services. So Bonify had just signed a contract with Boniversum – which still exists today.
Did Schufa put pressure on before the takeover?
Schufa initially did not provide any information about the course of the data leak. research by NDR and “SZ” suggest, however, that Bonify’s programmers may have been under great pressure in recent months to meet management requirements. After the Schufa takeover, several employees left the company, which nevertheless wanted to offer new services quickly. In addition, it was apparently difficult to find new, highly qualified employees.
As of May of this year, Bonify was still looking for a team leader to bring the projects to the finish line. “At the moment, however, I am far behind the plan with my team, infrastructure and competence,” wrote a senior employee in one NDR and “SZ” to a potential candidate. Internally, however, there is “not the necessary competence. That’s why I’m desperately looking for external help.”
The parent company Schufa, which is rather unpopular in IT circles, is, as the Bonify employee conceded, “not the best company name” when looking for experts. He feared that “we would screw up the structure” and that the result could be that consumers “didn’t have confidence in the access and integrity of the data it contains”. The search for employees was “about another app” that Schufa and Bonify developed, emphasizes Bonify boss Bermig.
Spahn’s data downloaded?
Lack of trust in Bonify and its handling of sensitive consumer data? But that’s exactly what could happen. Because it’s probably not just about the fact that IT expert Wittmann was able to issue manipulated proof of creditworthiness. She also believes that in the meantime, third-party creditworthiness data could be obtained that she should not have received at all. After that she was apparently able to download the creditworthiness score of the CDU politician and former Federal Minister of Health Jens Spahn.
According to her own statements, she used her address and date of birth, both of which are publicly available after numerous reports on controversial real estate financing. However, Bonify boss Bermig says: “At no time was Mr. Spahn’s personal or financial data (…) hacked and was therefore not transmitted. The score published by Lilith Wittmann was based solely on Mr. Spahn’s information entered by the activist.”
The Bonify boss emphasizes that his company reacted immediately when the data leak became known. The source of the error was eliminated on Saturday evening, according to Bermig in a statement for NDR and “SZ”: “According to the current state of knowledge, it is no longer possible to manipulate address details as part of the identification and registration process.” In addition, Schufa had the data exchange with Bonify stopped at the same time, and the contractual partner Boniversum did the same on Sunday afternoon. “As soon as this work is completed, the base score of the Schufa will be available again. The Boniversum score will no longer be available from bonify until further notice.”
BaFin data protection officers are alarmed
The Neuss-based Schufa competitor is apparently aware that deficiencies in IT security at the Schufa subsidiary Bonify could also cause massive damage to Boniversum. According to his own statement, Michael Goy-Yun, Managing Director of Creditreform Boniversum GmbH, first found out about the data leak via Twitter. “It was only on Sunday that the Bonify managing director called me and said: ‘We have a problem,'” said Goy-Yun, who then arranged for the service to be shut down. “We don’t see a mistake here, but a data protection violation at Bonify and are now doing everything we can to clarify it quickly.”
Data protection officials and the financial services regulator BaFin are now also alarmed. According to a spokeswoman for the authorities, Bonify informed the responsible Berlin data protection officer about the incident on Sunday: “According to the current state of affairs, it could be a violation of Article 32 of the General Data Protection Regulation, which concerns the security of data processing. We are currently examining the entire process.” The BaFin is also aware of the process, according to a spokesman NDR and “SZ”: “We are in close contact with the supervised company.” However, no information can be given about the details.
Incidentally, Germany’s largest credit agency openly admits that there is still a lot to do at Schufa and Bonify. “Although Bonify and Schufa will remain two separately operating companies after the takeover, we naturally have a great interest in transferring Schufa’s high security and quality standards to Bonify as well,” a company spokeswoman said in writing. Schufa supports Bonify in “examining products, services and the quality of previous cooperation partners and making changes if necessary.” A process that could obviously take some time, Schufa believes: “These security analyzes are expected to be completed by the fall of this year.”