IT security: Major data leak at DPD

Once again, we have to report on a serious data scandal. This time, the parcel service “DPD” is affected. Here, customer data was apparently quite openly accessible via a sensitive security vulnerability.

Serious data leak

The security gap became known through “Bleeping Computer”. The U.S. news site for IT security made it clear that customer data was openly accessible. The cause was a data leak in the programming interface of the shipment tracking system. In this interface, customers can enter their own zip code to find out where their parcel is. The whole thing was discovered by security experts from Pen Test Partners. According to the IT security experts, it was no problem for hackers to view the data of all customers who use shipment tracking. The principle of parcel tracking is used in exactly the opposite way. With the help of the simple parcel number, cyber criminals could have easily viewed the addresses and data of the customers.

Screenshot with sensitive data

If a hacker had exploited the security vulnerability, he would have been able to obtain a screenshot containing extremely sensitive data. Among other things, the customer’s address could have been viewed on the screenshot. On top of that, third parties could have easily used the zip code and parcel code to see when the parcel would reach its destination. However, the fact that criminals could have viewed the JSON data is particularly serious. This includes the most sensitive personal data such as e-mail address, telephone number and full names.

DPD has known since September 2021

For DPD itself, the information about the security vulnerability is not new. As befits IT security experts, “Pen Test Partners” already informed the parcel supplier about the grievances in September last year. A corresponding closing of the security gap is said to have taken place just one month later. So far, however, it is uncertain whether and to what extent hackers have exploited the data leak.