Credit reports in the Bonify app can sometimes be manipulated

Bonify App became available recently. With it, Schufa entries can be viewed. But right after the start there was the first data leak – a disaster for the Schufa subsidiary.

As of late, Schufa’s Bonify was still largely unknown. But that changed abruptly last week – since Schufa and its affiliates announced that in the future consumers will be able to view their Schufa scores online for free using the Berlin apprentice. Even if reports in the German media were initially reserved and often critical, the app quickly became popular. A few days ago, the financial app reached #2 in the download charts.

However, at the end of the week it became clear that the company may have serious problems with IT security. IT security expert Lilith Wittmann claims to have been able to obtain credit reports from strangers via a digital portal in the Bonify app and manipulate them in such a way that a different credit rating can be assigned to a name. These credit reports are essential in order to obtain mobile phone contracts and loans or to present yourself as an affordable renter when looking for an apartment. Whitman initially reported this on Twitter on Saturday.

“Not suitable for processing this data”

An IT expert can NDR and “Süddeutsche Zeitung” (“SZ”) thereafter explain in several cases how we were able to exchange names and other information during the identification process in the application in order to create tampered evidence of creditworthiness. According to Wittmann, this is a data protection disaster that should not happen: “The Bonify security hole shows me that the company does not have a completely basic understanding of IT security and is ill-suited to handling such data,” says Wittmann. NDR.

Schufa and its Bonify subsidiary have now acknowledged that the data leak did indeed exist. According to Schufa in a statement to NDR and “SZ”. According to Schufa, none of Schufa’s data was affected by this “gap”, only that of competitor Schufa Boniversum, a credit agency based in Neuss in North Rhine-Westphalia. “While Boniversum gave a score based on what data was manipulated, the data from Schufa was never transferred to Bonify,” says Bonify President Andreas Bermig, “because Schufa uses higher security standards.”

The fact that Bonify also uses data from competitor Schufa can be explained by its Berlin start-up date: Before being bought by Germany’s largest credit agency last year, the company had to obtain creditworthiness data from another source in order to be able to offer its financial services. So Bonify just signed a contract with Boniversum – which still exists today.

Did Schufa pressure before the acquisition?

Schufa initially did not provide any information about the path of the data leak. search by NDR The “SZ” indicates, however, that Bonify’s programmers may have come under significant pressure in recent months to meet management requirements. After the acquisition of Schufa, many employees left the company, which nonetheless wanted to quickly offer new services. In addition, it was apparently difficult to find new highly qualified employees.

As of May of this year, Bonify was still looking for a Team Leader to get projects to the finish line. “At the moment I’m way behind plan with my team, infrastructure and efficiency,” one senior staff member wrote. NDR and “SZ” for a potential candidate. Internally, however, “there is no necessary aptitude. That is why I am desperately looking for outside help.”

Unpopular in IT circles, parent company Schufa is, as a Bonify employee admitted, “not the best company name” when looking for experts. He feared that we would “corrupt the architecture” and that the result would be that consumers “did not trust the access and integrity of the data it contained”. The headhunting was “about another app” developed by Schufa and Bonify, Bonify head Bermig confirms.

Span data downloaded?

Distrust of Bonify and its handling of sensitive consumer data? But this is exactly what could happen. Because maybe it’s not just the fact that IT expert Whitman was able to release tampered evidence of creditworthiness. She also believes that, in the meantime, third party creditworthiness data could be obtained which she should not have received at all. Then, I apparently managed to download the credit score of CDU politician and former Federal Health Minister Jens Spahn.

According to her own statements, she used her address and date of birth, both of which are publicly available after numerous reports of a controversial real estate financing. However, the head of Bonify Bermig says: “At no time was Mr. Spahn’s personal or financial data hacked (…) and therefore not transmitted. The finding published by Lilith Wittmann was based solely on the information the activist entered from Mr. Spahn.”

Bonify’s boss confirms that his company responded immediately when the data leak became known. The source of the error was eliminated on Saturday night, Programme said in a statement NDR and “SZ”: “According to the current state of knowledge, address details can no longer be processed as part of the identification and registration process.” In addition, Schufa stopped sharing data with Bonify at the same time, and contractual partner Boniversum did the same on Sunday afternoon. “Once this work is complete, Schufa’s core score will be available again. Boniversum’s score will not be available from bonify until further notice.”

BaFin’s data protection officers are concerned

Apparently, the Neuss-based competitor Schufa understands that Schufa’s Bonify subsidiary’s IT security shortcomings could also cause serious damage to Boniversum. According to his own statement, Michael Joy-Yon, Managing Director of Creditreform Boniversum GmbH, first discovered the data leak via Twitter. “It was only Sunday when Bonify’s general manager called me and said, ‘We have a problem,’” said Gui Yun, who then arranged for the service to be shut down. “We don’t see anything wrong here, but there is a breach of data protection at Bonify and we are now doing everything we can to quickly clear it up.”

Data protection officials and financial services regulator BaFin are now concerned. According to a spokeswoman for the authorities, Bonifay reported the incident to the responsible data protection officer in Berlin on Sunday: “According to the current situation, it could be a violation of Article 32 of the General Data Protection Regulation, which concerns the security of data processing. We are currently studying the whole process.” According to the spokesperson, BaFin is aware of this process NDR And “SZ”: “We are in close contact with the company under supervision.” However, no information about the details could be given.

By the way, Germany’s largest credit agency openly admits that there is still a lot to do in Schufa and Bonify. “Although Bonify and Schufa will continue to operate separately following the acquisition, we naturally have a significant interest in transferring Schufa’s high standards of security and quality to Bonify as well,” a spokeswoman for the company said in her writing. Schufa supports Bonify in “checking the products, services and quality of previous collaboration partners and making changes if necessary.” Shufa believes this process may take some time: “These security analyzes are expected to be completed by this fall.”