The German based, international vehicle rental company Buchbinder was caught with its pants down in December.
The German Society of Security Specialists informed Buchbinder on 9th December, but got no reply. They tried again a few days later and there was still no response, so they reported it to the State DPO and to heise Verlag (German IT press) and Die Zeit (German mainstream press).
Both press organisations worked together to look into the alleged leak. It seems that the rental company (part of the EuropCar group) was using a cloud backup, but it had been poorly configured (as in it was using SMB over the Internet with no user name or password required to read the data).
The SQL Server backups were there for all to read. Customer data (over 3,000,000 records) going back to 2003, in some cases, including complete contracts, name, address, payment details, driving license, gender, religion, age, and information such as accident reports and police breathalyser results.
Politicians and other prominent people were in the list, as well as normal citizens. More worrying information about religion and sexual orientation were also held on some customers (through association). Rentals for individuals through Gay Rights organisations, Muslim and Jewish communities and organisations etc. A major GDPR breach.
Additionally, it has brought to light a further GDPR breach, the data is in many cases older than 10 years. GDPR states data retention should be as short as possible. Under German tax law, the customer information around contracts has to be held for 10 years and no more. Therefore the oldest information should be 10 years old (with the possible exception of the first registration date in the customer profile).
This could lead to a major fine under GDPR.