"Mistake made" Debt collection company ScoreControl poorly protected customer data
A Swiss programmer has made public a security vulnerability at the debt platform Meine-schuld.ch. Data from debtors at the debt collection company ScoreControl was affected. The vulnerability has since been fixed.
No time? blue News summarizes for you
- The online debtor platform Meine-schuld.ch of the debt collection company ScoreControl was not adequately protected against hackers.
- The weblog "Dnip" publicized the discovery by Swiss programmer Daniel Gnägi.
- A simple security gap allowed anyone with basic hacking skills to retrieve data.
- ScoreControl has closed the security gap and relativized the extent of the error.
Debts come quickly. If you forget an invoice or lose a letter, a debt quickly ends up with a debt collection agency. These are companies that collect debts for other companies.
Research by the weblog "Dnip" now shows that data protection is not implemented in an exemplary manner by all debt collection companies. The research focuses on the Meine-schuld.ch platform of the debt collection company ScoreControl, where people with debts can check their outstanding debt collection cases on the Internet. ScoreControl boasted that the portal was created in accordance with the "latest security aspects".
However, programmer Daniel Gnägi discovered in December that it was quite easy to gain unauthorized access to debtor accounts. The exact procedure is described in detail in the "Dnip" weblog.
In a nutshell: Meine-schuld.ch was not protected against the simplest hacker tricks. Anyone who entered a certain character string in the login field was able to manipulate the database queries in such a way that a successful login was always possible. "Dnip" titled the search "Debtor at the online pillory".
Learners are already aware of this vulnerability
This form of security vulnerability - known as SQL injection in technical jargon - has been known in the hacker scene for years and is easy to fix. Nevertheless, it still happens time and again that websites do not incorporate protection against it.
The specialist magazine "Security Insider" writes that this security gap is not only exploited by professional hackers, but also by "script kiddies". In other words, not much technical knowledge is required to exploit it.
According to "Dnip", the website did not even have an "effective limit" on login attempts until early January 2025. This means that a program could have accessed countless customer data over several days. Not only could the name, address, email address and date of birth be viewed, but also all outstanding invoices.
The lack of simple protection mechanisms has no legal consequences for ScoreControl. According to its own statements, the company assumes that no further misuse has taken place apart from in the case of the person discovered - the corresponding access logs did not provide any evidence of this. There was therefore no report to the authorities.
ScoreControl confirmed to the weblog and blue News that the security vulnerability arose in the course of a website relaunch at the end of November 2024 and was fixed at the beginning of January 2025
When asked by blue News, ScoreControl emphasized that "demonstrably no damage was caused by the security vulnerability". Managing Director Olaf Pauls also says: "Mistakes were made, but these were rectified within a very short time and appropriate countermeasures were taken."