A German web hosting company, Domain Factory, has announced a data breach that may have compromised its customers’ DomainFactory phone passwords, bank account numbers and credit scores, as well as other personal data.

DomainFactory is a subsidiary of Host Europe Group, which owns a number of other web hosting companies including 123-Reg and Heart Internet.

The vulnerability was discovered on 3rd July 2018 and announced on 6th July 2018. According to the announcement on DomainFactory’s website, an “inadvertent system change” made customer data accessible to third parties as of 29th January 2018.

It also states the data wasn’t just exposed but accessed by an “outside party without authorization”.

In a subsequent update published on 8th July, DomainFactory is also encouraging its customers to update their email, FTP, SSH and MySQL database passwords.

As it provides web hosting services it’s conceivable that any third-party with access to a customer’s account could also gain access to a database powering that customer’s website.

According to an automatically translated report from Heise, the attacker allegedly acquired access to one of DomainFactory’s shared web servers to take revenge on another DomainFactory customer for owing him money.

DomainFactory claims the vulnerability has been patched and that it has reported the incident to Germany’s data protection authority.

Aside from DomainFactory phone passwords, bank accounts and credit scores, DomainFactory states the following personal data was also made accessible to outside parties:

Customer name;

Company name;

Customer number;

Address;

Email address;

Telephone number; and

Date of birth.

It claims it has put in place “increased security” to prevent further unauthorized access, however it’s also advising all customers to change their DomainFactory account passwords.

As a third-party with access to this data could setup direct debits in another person’s name, DomainFactory is also encouraging customers to monitor their bank statements for any suspicious activity.

Based on the timeline provided by DomainFactory, the breach may fall under the provisions of the EU’s new General Data Protection Regulation, which came into effect on 25th May.

According to Article 33 of the GDPR, organizations must report a data breach within 72 hours of discovering it. Organizations found to be contravening the new regulation can incur fines of up to 20 million EUR or 4 percent of annual revenue, whichever is higher.

The web host claims it has instructed an “external security company” to assist in a forensic investigation of its systems.