Data Breach at Numa Reveals Extensive Customer Identification Information

A recent incident involving the Berlin-based accommodation provider Numa has raised serious concerns regarding data security and privacy. An investigation by a member of the Chaos Computer Club (CCC) uncovered a significant lapse in data protection protocols while attempting to book a stay with the company.

Numa promotes a digital-first approach to hospitality, allowing guests to check in without interacting with staff. However, this reliance on technology has led to critical oversights in safeguarding customer data. Initial reports indicated that the identification numbers for invoices were sequential and could be easily manipulated to access sensitive billing information.

The CCC member discovered that by altering the IDs in the web address, it was possible to view all invoices processed by Numa, which included confidential customer details. This alarming vulnerability was highlighted by the CCC in a statement, emphasizing the ease with which third parties could gain access to sensitive financial data.

Furthermore, Numa's digital check-in process required guests to upload a government-issued identification document, such as a passport or ID card. However, this system inadvertently exposed a JSON object containing extensive personal information, including names, email addresses, phone numbers, and identification data. The CCC expressed confusion regarding the purpose of this data collection, noting the potential for unauthorized access to third-party identity information.

In response to the findings, the CCC promptly notified Numa and the relevant data protection authority in Berlin. Reports indicate that Numa acted swiftly to inform the Berlin data protection officer of the breach, with notifications sent on June 5 and June 6, respectively. It remains uncertain whether all affected individuals have been informed, although the company has indicated that notifications are forthcoming.

This incident underscores a broader issue concerning the collection of identification data from hotel guests in Germany. Since the beginning of the year, a lack of legal justification for storing such information has become apparent, potentially violating the General Data Protection Regulation (GDPR). Following the removal of certain provisions from the Federal Registration Act that previously required identification for German citizens, the CCC has called for a reevaluation of the regulations governing identity verification and data retention for all guests in the hospitality sector.

The immediate response from Numa is commendable; however, CCC spokesperson Matthias Marx noted that the root issue lies in the unnecessary collection of sensitive data in the first place. He emphasized that data breaches can be avoided altogether if such information is not collected, advocating for a reconsideration of data handling practices within the industry.