Germany's postal service, Deutsche Post, operates a portal where people can enter their new addresses following a move; the web address is umziehen.de. The postal service then automatically informs a variety of other service providers of the new address, including banks and insurance companies. It is without question a useful service. But the postal service was exceedingly sloppy when it came to the portal's security. Due to a simple error, the address information of around 200,000 users could easily be accessed on the internet.
When contacted, Deutsche Post confirmed the incident. "During a security update of our moving portal umziehen.de, a copy of the database entries was created which was, in violation of our security standards, not deleted due to human error and was then accessible to users with expert knowledge."
In fact, true expert knowledge wasn't necessary. The database could simply be downloaded. To do so, users only had to know the filename, dump.sql.
There is a simple
explanation for why this particular filename was used: In the
instructions for the widely used database software MySQL, the name is
used in an explanatory example. Someone at the postal service had
followed the example when making a copy of the database and
apparently inadvertently saved it directly to the web server. One
could download it by simply typing in the web address
Customer Addresses and Order Histories from an Online Pharmacy
After I informed the postal service of the error, they quickly removed the database copy. But the problem is one that affects numerous other websites. By simply experimenting with typical filenames, I was able to access more than 2,000 additional databases in addition to the one belonging to the German postal service. To the degree possible, I tried to notify the web hosts of the sites in question.
Pharmacy Online Australia had a particularly large set of data saved on its server. Beyond the addresses of 600,000 customers, it also included details about their drug orders. It was extremely sensitive data that should definitely not fall into the wrong hands.
I discovered additional sizable databases at Beckertime, a sales portal for Rolex watches, at a U.S.-based toy seller, at the German electronics mail-order site IT-Market and at revell-shop.de, an online shop for model building (but not operated by the company of the same name). Anyone searching for data files with the name dump.sql could easily call up the addresses and even account information of hundreds of thousands of people. The companies have since responded and secured the copies of the databases.
It's Likely that Criminals Already Possess Some of the Databases
One can assume that many of the databases had already been accessed by someone else by the time I got there. That, at least, is what my experience has taught me. It is standard practice that all attempts to access a system are saved for at least a few days in the site's log files. Anyone who operates their own website can thus easily determine if any attempts have been made to access non-public data. A search of my own server logs revealed that repeated attempts have been made in the past to search for such data. It is difficult to say if the searches were made by IT security experts or by criminals.
The German postal service has begun informing customers affected by the breach. A company statement notes that: "For a short time, it would have been possible for someone with the necessary technical knowledge to access your information (name, old and new addresses, moving date, email address). We rectified the mistake within minutes of learning of it. We cannot exclude the possibility that unauthorized persons viewed your data in that time period."
The managing director of revell-shop.de responded that he intends to immediately begin informing customers.
The spokesperson for the electronics site IT-Market told me that, based on an examination of his log files, he doesn't believe that anybody except for me tried to download their database. "For that reason, we will refrain from notifying our customers."
The American toy seller hasn't yet responded to my request for comment, which was sent days ago, nor has the company removed its database from the web. The other companies haven't yet commented.
Translation: Charles Hawley