The document lists more than 60 names and is publicly available on the site of a data broker. Most of those names are said to belong to German citizens. Their date of birth, passport number and expiration date is also listed. Such data is considered particularly sensitive because it can be used for identity theft. Selling and publishing it online is a disaster from a data protection perspective.
The list was uploaded to the site of a data broker in the EU, that allows others to buy or sell data. We are not naming the site here because the list is still online. The document listing more than 60 names is apparently a free sample. Interested parties can use such samples to get an impression of the data – before buying more of it. The data broker makes money from each sale: according to its own information, it keeps part of the sales price as a fee.
netzpolitik.org was able to identify several people on the list. They live in Bavaria or Lower Saxony and confirm that their data and ID numbers are genuine. Some were shocked to learn their data was public. One person tells us on the phone: „Data protection, you often hear about it. But it’s a different feeling when you see your own data openly on the Internet.“
ID data is one of the most sensitive forms of data, because people use it to prove their identity. That makes it particularly interesting for criminals. They use the stolen data for paid subscriptions or make purchases under a false name. According to a recent survey, one in ten Germans has already been affected by identity theft.
Data trader shrouds itself in silence
Our research into the exact origin of the sensitive data did not yield any clear results. The company behind the site did not respond to our inquiries via several channels. The offer page for the purchase of the data disappeared from the website after we contacted them. However, the document with the sample data is still online.
The company is registered in the EU and is also listed in the marketplace’s privacy policy. The two founders are active on LinkedIn. One of them runs his own podcast. Should they or other representatives of the company respond, we will amend the article.
There are indications that the ID data may have found its way onto the internet via airlines. An account with a name hinting at Wizz Air appeared as the seller. Wizz Air is the name of a Hungarian low-cost airline. However, people can also give their accounts misleading names on the platform. All you need to register is a working e-mail address. Wizz Air has not yet responded to our inquiries.
The trail leads to low-cost airlines
We contacted the account offering the data using a form on the site. We wanted to know where the data came from, how big the data collection was and how much it would cost.
A new name appeared in the chat that opened: Suddenly it no longer said Wizzair but a man’s name. However, the name is very common; an online search for a person with this name produced countless hits. Shortly after, the offer with the ID data had disappeared from the site, and the name of the provider in the chat was changed to: „aaaa bbbb“.
It is therefore possible that Wizz Air has nothing to do with the offer. None of the affected persons we contacted stated that they had flown with Wizz Air. However, at least four of those affected said they had traveled with another low-cost airline: Corendon.
Anyone searching for Wizz Air on the platform last week found another offer with the Corendon logo. Data from more than 20,000 passengers from other EU countries was allegedly offered for sale. But even in this case, the airline’s logo could have been uploaded by anyone. Corendon has not responded to our attempts to contact them.
Airline in trouble
Corendon is a Turkish low-cost airline based in Antalya. The airline has been flying to vacation destinations from Germany since 2005 and for a while was a sponsor of the soccer club 1. FC Nuremberg. In recent years, there have been reports of payment difficulties at Corendon.
When we created our own account on the data brokers’s platform as a test, we were able to name it freely. All we needed to register was an e-mail address. It is therefore possible that the names of Wizz Air and Corendon were used by an uninvolved person and that the airlines themselves have nothing to do with the data being offered.
Even if the origin of the ID data remains unclear, one thing is certain: the data is apparently genuine. And it was openly offered for sale by a data broker in the EU – including a free sample available online. Offering such sample data sets to potential customers is widespread in the industry, but they are usually protected with a password.
„Probably unlawful“
The incident is yet another example of the shady business of data traders. An opaque network of thousands of companies buys and sells personal data like normal goods. It is mainly used for advertising and consumer scoring, but secret services and criminals also make use of this data source. Where exactly people’s data ends up and what it is used for is not clear to anyone in this system, not even the retailers themselves.
Whether the industry’s business model can even be operated in accordance with the European Union’s data protection rules, called General Data Protection Regulation (GDPR), is controversial. If at all, then the sale of data is only possible with the consent of the data subjects. The requirements for valid consent are high. Does the described offer with the ID card data violate the law?
„The sale of such data records is probably unlawful,“ writes Elisabeth Niekrenz, a lawyer specializing in data protection, when asked for an assessment. In theory those responsible could have obtained consent for the sale of customer data to third parties. However, consent must be informed, voluntary, given for the specific use case and unambiguous. „Under no circumstances is a note in the small print sufficient,“ says the lawyer. „I doubt that data subjects will consent to the sale of such sensitive data if they are informed about the details.“
Data protection authorities are alarmed
We asked the supervisory authorities in Bavaria and Lower Saxony, among others, for their assessments, as we were able to identify people from both federal states in the sample data set. Both authorities emphasize that they can only comment in principle, not on the specific case.
The Bavarian State Office for Data Protection Supervision states: „In a constellation such as the one described – customer data is passed on to a data trader who in turn offers it for sale – we cannot recognize per se what could justify this.“
The supervisory authority from Lower Saxony, on the other hand, emphasizes that at least certain data can be passed on if the data subjects have given their consent. It is interesting to see whether the data broker has proof of such consent, it says. „If this is not the case, it would be reasonable to suspect that the data broker may have obtained the data in an inexplicable, possibly even unlawful manner.“
We also informed the supervisory authority in the EU country in which the data broker is based. They could not comment on the specific case because they are not allowed to comment publicly on „ongoing or potential proceedings“. According to the GDPR, failure to comply with consent requirements can result in penalties of up to four percent of annual turnover or 20 million euros.
„Legal use by third parties hardly conceivable“
Particularly strict rules apply to ID card and passport data. „Additional restrictions apply to ID card or passport numbers, so it is doubtful whether consent to the sale of such data would be effective at all,“ says lawyer Elisabeth Niekrenz. The law in question only provides for a few purposes for which the data from ID cards may be used at all. „Legal use of ID card or passport numbers and expiration dates by third parties is hardly conceivable,“ says the lawyer. „These details are most likely to be used for identity fraud.“
Viennese surveillance researcher Wolfie Christl agrees: „Passport numbers are highly sensitive data with a high potential for misuse for identity theft and other criminal purposes.“ Christl doubts that the companies involved had a legal basis for passing on and selling the data. He hopes that the supervisory authorities will quickly launch an investigation.
If the authorities were to start an investigation, the data broker would have to prove the lawful consent of the data subjects. When we asked, none of the people we found in the data set could remember having consented to the sale of their data. On the contrary, those affected reacted with surprise or even shock that we found their data openly online. Several of those affected said they plan to lodge a complaint with the relevant data protection authorities.
Data subjects are probably entitled to compensation
Companies face severe penalties in the event of a GDPR breach. If an airline has illegally sold such data, this also applies to them. However, it is conceivable that the data could have ended up in the hands of data brokers by other means, such as through a leak. Criminals could possibly have accessed the data though a hack or employees could have sold it.
As ID card data is so sensitive, Elisabeth Niekrenz says that not only the data protection authorities, but also those affected should have been informed in such a case. The lawyer points out that those affected are probably entitled to compensation – both from the data broker and the data source. The Bavarian State Office for Data Protection Supervision also emphasizes that those affected could sue the companies for damages.
Anyone who finds their own ID data online – or has the impression that other personal data has been processed without consent – can lodge a complaint with a data protection authority. For German citizens the first place to contact is the data protection authority in their own federal state.
There are two lists (each with 160+ unique names), one containing only data from German citizens, the other with data from Belgium, France, Netherlands and Poland.
Based on the metadata, the sample datasets were created on a Dell computer with MS Office 2016 or 2019 at the beginning of this year. The formatting of the data suggests that it likely originates from a database or API endpoint.
There is however one fact I find interesting/suspicious: For 1/3 of the people in the German dataset the same birthday is listed. Maybe the dataset was artificially inflated?