On Monday afternoon, the Schufa service could not be reached via the app.
(Photo: dpa)
Berlin Germany’s largest credit agency, Schufa, presented a new service last week together with its subsidiary Bonify. Consumers now have free digital access to their score. The score is an indicator of the customer’s creditworthiness. The sole requirement: you must download the Bonify app.
A few days later, however, disillusionment set in. The reason for this is a security gap that IT expert and activist Lilith Wittmann found. As part of the account identification procedure between Bonify and the Boniversum credit agency, she discovered a loophole that could be exploited to exchange one’s own address with someone else’s.
Specifically, Wittmann identified himself as a Bonify customer via the Bankident procedure. The data can be updated for a second via a programming interface, she wrote on the Mastodon blogging service.
She had prepared for this and entered data collected by the CDU politician and former Health Minister Jens Spahn using software. Based on this data, Wittmann received a score from Spahn.
The Bonify mother Schufa felt compelled to clarify that “Schufa data was never affected by the incident”. Although Bonify and Schufa will remain two separately operating companies after the takeover, “we naturally have a great interest in transferring Schufa’s high security and quality standards to Bonify,” it said in a statement on Monday. Initiated safety analyzes are expected to be completed by autumn of this year.
Data exchange between Schufa and Bonify stopped
On request, Bonify stated that “at no time was personal or financial data from Mr. Spahn or other names hacked” and accordingly not transmitted. The score published by Ms. Wittmann is based solely on the information provided by the activist from Mr. Spahn. These were publicly available.
At the instigation of Schufa, the data exchange between Schufa and Bonify was stopped on Saturday. On Sunday, the company also stopped the exchange between Boniversum and Bonify. According to Bonify, “maintenance work” is currently taking place. After completion, the base score of the Schufa would be available again. However, the Boniversum score will no longer be available from Bonify until further notice.
Bonify also announced that the Berlin state commissioner for data protection had been informed, as had the financial regulator Bafin.
The “transparency offensive” dubbed by Schufa itself suffered a setback with the data breach. The Schufa has not yet tackled its most sensitive project. From 2024, consumers should be able to give Schufa a look at their own accounts via the Bonify app. However, this should only happen with the express permission of the account holder and aims to better assess the creditworthiness of the customer.
The activist Wittmann doesn’t hide her opinion about Bonify from me. “Schufa bought a start-up that doesn’t even have absolute basic knowledge in the field of software architecture and simply chops together some procedures somehow.” It seems that Schufa still has to do trust work.
More: Consumers now have free access to their Schufa score
With agency material