At the Federal Employment Agency, users could view third-party user data. But the Federal Agency does not inform the affected users.
Federal Employment Agency: External user data was visible
The regional news portal Regensburg Digital reports that a customer of the Federal Employment Agency logged into her user account there and was then able to see third-party data. Accordingly, she was able to see the correspondence between an employee of the Federal Employment Agency and a person she did not know – obviously another customer of the Federal Employment Agency. The woman found that she was logged into the stranger’s account. Even though she signed up for her own account. The lady could have seen all the data of the foreign job seeker.
In a nutshell: data breach
The woman informed the Federal Employment Agency. Shortly thereafter, she received an email from an IT specialist from Saxony. The email had the subject “data breach” and contained the following text: “Thank you for your feedback. We’ll look into it. This must not happen.”
Federal Employment Agency confirms data breach
The data protection department of the employment agency confirmed to Regensburg Digital that on May 18, 2022 between 8 a.m. and 9.35 a.m. it was possible for users to gain access to third-party user data after logging in. The reason for the error was therefore a “software change” in the online portal of the Federal Employment Agency. The Federal Agency later added that the problem was caused by a software update process. There was an error with the login function.
And further: “In individual cases, the registration data of customers were not completely deleted or not overwritten after registration. This enabled parts of the data set to be viewed by previously registered customers.”
The error was corrected immediately after it became known, from 10.05 a.m. everything should have worked perfectly again. But the affected user who reported the incident emphasizes that she logged in at 7:30 a.m. As a result, the information from the Federal Agency on the incident would be wrong, at least in this detail.
Poor communication at first
Initially, the Federal Agency’s website only contained relevant information for a short time, which was soon taken offline again. Apparently, the Federal Agency did not inform the affected users in general. Only in the BA app does there seem to have been a corresponding notice, as Borncity writes.
In the meantime, however, the Federal Agency has published new information on the data protection incident. The federal agency does not provide figures on how many job seekers were affected by the disclosure of their confidential data. Apparently, the Federal Agency does not know who and how many users are affected: “How many users were affected by the problem can no longer be determined.”
But now the question arises as to whether the Federal Employment Agency is not obliged under the GDPR to inform all those affected directly.
Definitely yes, the reporting of the data breach by the agency (mandatory) will definitely be interesting
— Ulrich Kelber (@UlrichKelber) May 19, 2022
BA statement to PC-WELT
PC-WELT asked the Federal Employment Agency some questions about this incident. The response from the BA reached us promptly. We reproduce the statement and our questions here in full.
Question: When exactly did the incident occur, how long did it last and what caused the disclosure of the data?
Response from the BA: “The online portal of the BA is available to customers 7*24 hours. Online systems must be regularly supplied with operating system and IT security changes (patches). During the update on Tuesday, an update and cleanup process for one of several temporary system memories (system containers) did not start properly On the morning of May 18, 2022, between 8 a.m. and 9:35 a.m., there was a technical error in the login function of the online portal of the Federal Employment Agency In individual cases, the registration data of customers were not completely deleted or not overwritten after registration. This meant that parts of the data record could be viewed by customers who had previously registered. After the error became known, the online registration function was deactivated at 9:35 a.m The error was corrected immediately At 10:05 a.m. the online registration function was available again without errors omission.
So this error existed for about 90 minutes.”
Question: Exactly which websites and apps were affected?
The BA’s response: “The websites and services that required user authentication were affected.”
Question: How many users were affected?
Response from the BA: “The error was corrected after a short time.
How many and which people were affected in this time window can no longer be determined in retrospect. However, the problem only occurred in this time window and only in a specific constellation, namely when both users happened to be simultaneously booked on the same temporary system memory for a fraction of a second.”
Question: Has the BA already informed the users? If yes: how? If no: why not?
Answer: “Unfortunately, who exactly was affected by this can no longer be determined. However, a fault report was published on the arbeitsagentur.de homepage from midday. Citizens can use a contact form to contact the customer reaction management of their employment agency. A note about You can find the incident on our homepage, see the following question.”
Question: Why was there a corresponding note on the BA website only for a short time?
Response from the BA: “First there was a message in the form of an ‘interferer’, in the meantime we have inserted an information tile on our homepage on the home page for private individuals and stored it there with more information. under “Current information” (below) and https: //www.arbeitsagentur.de/news/it-vorfall “.
Question: Have the responsible data supervisory authorities and the Federal Data Protection Commissioner already been informed? When does this happen?
Response from the BA: “Yes, you were informed on the same day”.
Question: Is there any evidence that hackers are already exploiting the incident? For example for identity theft?
Answer from the BA: “No. That is also very unlikely. Firstly, the disruption only occurred for a short time and only in a constellation that cannot be brought about intentionally.”
Car rental Buchbinder never informed affected customers
The case of Buchbinder car rental also shows that users who are affected by a serious data protection violation are by no means always informed: Car rental Buchbinder – no penalty despite a huge data breach.