German car rental company Buchbinder exposed the personal information of over 3.1 million customers including federal ministry employees, diplomats, and celebrities, all of it stored within a ten terabytes MSSQL backup database left unsecured on the Internet.

The German company runs a worldwide network of over 5000 car rental stations directed by partners and franchise holders, with clients from more than 100 countries.

Buchbinder is currently investigating the security breach according to a notification displayed on the company's website.

"IMPORTANT INFORMATION - Dear customers, we have been informed of a data leak that affected our systems," Buchbinder's notification says.

"We are currently in the process of reviewing the matter and will come back to you shortly with more informations."

Customer information of millions exposed

The unsecured database was discovered by Deutsche Gesellschaft für Cybersicherheit Executive Director Matthias Nehls as part of a series of routine scans for unprotected databases.

After analyzing the open database, Nehls discovered that the German car rental company exposed the data of more than 3 million of its customers on the Internet as reported by c't and DIE ZEIT, with the stored data going back as far as 2003.

The more than 5 million files exposed included customer names, emails, phone numbers, addresses, dates of birth, license numbers, as well as financial information such as bank details and payment info listed on scanned invoices and rental contracts — luckily, credit card numbers were not found in the database.

Exposed data sample (c't)

Last but not least, some of the records that got exposed also included passwords for employees and online portal users, with 3,000 out of the total of 170,000 being stored in plain text.

Besides sensitive information of employees and customers, the unsecured backup database also contained data of federal ministry employees including the President of the Federal Office for Information Security (BSI) Arne Schönbohm, hundreds of diplomats from all over the world, Police and Bundeswehr employees, as well as sports and entertainment celebrities and politicians.

The database is now secured

"Immediately after becoming aware of the facts, we immediately arranged for the closure of the corresponding ports by our contract partner, who was responsible for maintaining and securing the servers," Buchbinder told c't.

If stolen while the database was left open on the Internet, the data could be used by cybercriminals in a variety of ways including highly convincing spear-phishing attacks and business email compromise (aka email account compromise) attacks that can lead to huge monetary losses.

Overall, around 2.5 million customers that had their info exposed were from Germany, roughly 400,000 from Austria, and about 114,000 from Italy, Slovakia, and Hungary.

When it comes to the potential legal consequences Buchbinder is facing, legal experts say that exposing the data and keeping it stored since 2003 without justification are both breaches of data protection standards.

"According to Art. 32 (1) GDPR, the controller is obliged to take appropriate technical and organisational measures to protect the data in accordance with the state of the art," reuschlaw Legal Consultants associate Stefan Hessel said.

"In this case the backups of the car rental company were unsecured and freely accessible on the net. This obviously does not correspond to the state of the art. A violation of data protection is therefore present.

Furthermore, even the storage of passwords in plain text does not correspond to the state of the art. This is also a data protection violation."

BleepingComputer reached out to Buchbinder to ask for more details regarding this incident but did not hear back at the time of publication.