Bank sends coronavirus grant applications to wrong users
- 6 April 2020
On 28 March 2020, it was reported that the development bank Investitionsbank Berlin (IBB) had accidentally given small businesses and the self-employed access to other users’ applications for coronavirus (Covid-19) grant funding due to a programming error.
IBB sent users of the bank’s grant application system a link to their online application documents after submission. When some users downloaded the application using the link provided by the bank, the document they downloaded belonged to another applicant, and contained the applicant’s company address, tax number and bank details. Applicants reported being alerted to the issue by other users manually forwarding them the applications they had incorrectly accessed, golem.de reports.
Applicants via IBB’s website were directed to Queue-it, a queue website operated by a Danish company, after the bank’s website became overloaded. This queuing system led to the incorrect disclosure of the data, winfuture.de reports.
A spokesman for IBB said the bank noticed the error around 17:30 CET on 27 March 2020, according to golem.de. IBB was unable to say how many users were affected by the data breach and whether sensitive data had been disclosed. At 17:49 CET on 27 March 2020, IBB thanked users on Twitter for alerting it to the problem, which it said it had immediately rectified. It said it was in contact with its data protection officer and that the data that applicants had submitted had been correctly received. IBB resolved the problem by suspending access to the completed applications, leaving applicants unable to check the information they had sent, winfuture.de reports. On its website, IBB said on 28 March 2020 that it had interrupted processing due to a data protection problem it discovered on 27 March 2020.
The Berlin data protection officer said on 30 March 2020 it had received a report about the data breach at IBB. According to the report, a serious programming error made applications available to other people on 27 March 2020 between 15:30 CET and 16:30 CET. It stated further that applicants who submitted applications within this period should assume their data had been transmitted to third parties. The officer said IBB estimated that 390 applicants had been affected, and they were being informed of the issue.
As of 29 March 2020, IBB had received 836 fully submitted applications for a total of EUR 152 million since applications opened on 27 March 2020. The bank normally processes up to 3,000 grant applications per year, deutschlandfunk.de reports.