Our world is becoming more digitized by the minute; but as great as the opportunities presented by the advancements in digitization may be, they are accompanied by equally great risks. When asked about their worst imaginable scenario, IT managers will answer in unison: a large-scale data breach. For German car rental company Buchbinder, this hypothetical nightmare recently became a reality. Though it cannot yet be fully determined what the exact consequences of the incident are, it is for certain that they are potentially catastrophic.

But let’s start at the beginning. First, we need to take a look at what a data breach actually is. Wikipedia states: “A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.”

Historic Data Breach

This is the largest-scale data leak Germany has seen to date and with Buchbinder a major player has been hit. By their own account, Buchbinder are “market leader in the private customer segment cars and trucks in Germany and Austria”. The company, which is based in Regensburg, employs more than 2,500 people and operates around 165 rental stations across Europe. Their turnover recently amounted to almost 350 million euros.

Just as impressive as the company’s scale is the scale of their data leak. A whopping 10 terabytes of delicate customer data were affected by the data breach, simply because the company’s file server was accessible over the internet without any protection whatsoever.

The consequence was that anyone who cared was able to access information on three million of Buchbinder’s customers online for several weeks. The reason? Quite simply, the lack of structured access rights. The data affected goes back back 18 (!) years and includes a broad range of information, from names, addresses and telephone numbers to scans of invoices, contracts, e-mails and even pictures of damaged cars.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

Not your Typical Hacker Attack

Problems of this magnitude naturally raise the question of who is to be held responsible. In this particular case, it is not possible to answer the question just yet. In comparable cases in the past, the reason usually came down to configuration mistakes – which basically means: One wrong click and the damage is done. Another fun fact regarding the Buchbinder “attack”: there were actually no protective mechanisms in place that required disabling to extract the data, so in legal terms, the incident can’t even be referred to as a “hacker attack” at all.
As of yet, there is no way to estimate the extent of the damage Buchbinder will be facing. However, since there is no way of telling who accessed the confidential data, the incurred damages are quite likely enormous. Besides losing their customers‘ trust, the car rental company can expect a potentially hefty GDPR fine, as well as damage claims.

How to Prevent Disasters like this

Data leaks are always unpleasant because the only winners are the thieves who convert the stolen data to money. The next few weeks and months will bring more clarity as to the exact causes that lead to the data breach in Buchbinder’s case.

It is, indeed, possible to take precautions against data leaks. Implementing an access management software can be one way to prevent data leaks from occurring. By applying the appropriate access rights, the right access management solution can help to protect sensitive data from unauthorized access. How does it work? The first step is to reduce the amount of access rights down to those which employees need to carry out their respective jobs – because incorrect or superfluous access rights are among the main causes for data theft and abuse.