Lower sachsian ministry of culture sloppy in data protection

Lower Sachsian Ministry of Culture Sloppy in data protection

The Niedersachsian Ministry of Science and Culture (MWK) operates a portal for "Online application procedure", on the artists, clubs and museums each request claims or scholarships. Or: they could. After a note of Heise Security to serious privacy and security problems, the Ministry has completely shut down the service of yesterday.

The Ministry the application procedure now "be checked by external expertise", declared heinke traeger from the MWK opposite Heise Security. This had to happen quietly before commissioning, because already a first in-eye-catching by Heise Security showed very obvious data protection deficiency.

Since personal data were collected without any visible in the context of the application procedure, which happens to what happens to them. An applicant had to are that he has read the privacy clarification – but they would like to find their way to the websites of the application procedure nowhere. The created account with the linked data did not love you. But the clou was the protection of the data carried out under the application procedure.

Protective data

Namely, it was not quasi. Applicant on the MWK next to name, address, telephone number and bank details also made application forms, complete CVs, card copies and information on any disabilities. All this had any access that created an account, and then the value in user ID = in the URL. Then the portal showed something like that "Registered as: Hugo.Meier @ somewhere.de" and you had full access to Hugos data. Pretty sure you had the stored data, ie the bank details to which the payout should take place, but we have not tried that.

Data sloppiness in the online application procedure of the Ministry of Culture NS

Lower Sachsian Ministry of Culture Sloppy in data protection


Via practical online application, you could apply for a traveling party.

Such sloppiness actually occurs immediately when someone throws a critical look at privacy and security. Just as Heise Security Readers Falk Rismansanj, who changed the URL parameters from curiosity and hardly believed the frightening result. He then informed Heise Security and we took contact with the Ministry. This then responded promptly and switched off the service completely on the same day.

A case for the DSGVO

The Ministry is now committed to report DSGVO, not only to report the incident not only the stated privacy resistant resistance, but also the affected one whose data she kept dry. Let’s see if someone reports us who received such a notification.

If you have aware of the knowledge of which you believe that the public should know about it, please inform us about the mailbox of Heise Investigative. We are responsible for this data and keep you anonymous on request.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: