Early in 2020 there has been a serious data leak at the car rental company Buchbinder according to media reports in the computer magazine c’t and the weekly newspaper Zeit. Personal data of three million clients have been leaked and are accessible (unencrypted) for anyone on the internet. According to the media all Buchbinder clients (car renters and drivers) from 2003 to 2020 are affected.

A configuration error on one of Buchbinder´s backup servers has apparently triggered the data leak. This lead to personal data being published on the internet. The following data has been published:

Name
Address
Date of birth
Mobile phone number
E-mail address
Driving licence number
Driving licence issue date
Payment information and bank details

The data was publicly available on the internet. The likelyhood of phishining attempts, blackmail and other fraudulent methods is considered to be very likely. Identity theft cannot be ruled out.

The disclosure of personal data is likely to constitute a serious breach of the GDPR (European Data Protection Regulation). According to Art 82 GDPR, any person who has suffered material or immaterial damage due to a data protection breach is entitled to claim damages against the responsible party, thus against Buchbinder.