The bankruptcy proceedings of Getin Noble Bank are pending. Customers who want to join it must submit a claim in order to get their money back through the National Debt Register kept by the Ministry of Justice.
So it is not surprising that in recent days website KRZ.ms.gov.pl is under siege. On Friday, interest in the service was so great that there was even a warning message about performance problems.
Bankruptcy of Getin Noble Banks. Vulnerability in the KRZ system?
informing about how to join the Getin Noble Bank proceedings. And this is where strange eyes begin to happen. Because it turns out that in order to submit a claim, it is enough to fill out … one form.
After completing it, creditors automatically receive access to detailed case files, including the personal data of other participants in the proceedings – this is about detailed information on 30,000 Poles – including PESEL numbers, ID card numbers and addresses of residence.
Just the fact that it was so easy get sensitive data raises some doubts. However, this is not the end of surprises. It turns out that in order to gain access to the case files, you do not have to be a party to the proceedings – because no one verifies it. Literally anyone could get it.
who, in response to readers’ reports, decided to check whether access to case files of Getin Noble Bank can be obtained without proper verification and authorization. Yes, you can.
The problem with KRZ has been reported to us by various readers for several days. To verify whether their panic and fear for their data is justified, we used the KRZ form to submit claims. We filled it with nonsense data, sent the application without a signature and without payment. Such a letter will have no legal effect, but it has one technical effect. We got access to the case file! Automatically. Just like that!
– explains Danger.
To log into the KRZ system you must have a Trusted Profile, which to some extent limits the possibility of obtaining data by random people. The problem is that illegally obtaining such a profile is not particularly demanding for cybercriminals.
According to Niebezpiecznik, the number will be released on Friday The number of participants in the proceedings whose data could be viewed was 17,000, while on Tuesday it was over 30,000. people.
Let’s add that it’s more than 30,000. names, phone numbers and addresses. We saw a phone number in some of the metrics. According to one of the readers, you can also dig up the ID number and information about the property to which the loan relates.
– writes Danger.
Data 30,000 Poles available to everyone. What about the UODO?
The case was reported to both Ministry of Justice and Office for Personal Data Protection. As for the UODO, the institution sent a message to the editorial office of Niebezpiecznik, in which it admits that it had reported it “comments to the proposed solutions regarding the computerization of the functioning of KRZ – both to the Act on the National Register of Debtors and the executive acts to its provisions.
Each time, UODO presented its concerns as to the legal structure adopted in the Act of 6 December 2018 on the National Register of Indebted People, according to which PESEL numbers entered in the National Register of Indebted Persons are subject to public disclosure, therefore they are open and publicly available. The authority pointed out that this openness and public availability of PESEL numbers in the National Register of Indebtedness not only cannot be reconciled with – stipulated in art. 87 of the GDPR – the principle that the processing of the ‘national identification number’ (which is the PESEL number) should be carried out with appropriate safeguards for the rights and freedoms of the data subject, but – above all – it poses serious threats to persons whose PESEL number will be of the National Register of Indebtedness made public.
– we read in the message.
Ministry of Justice: Data in KRZ are safe
On Wednesday, the Ministry of Justice published a statement “in connection with media inquiries about alleged irregularities in access to the data of creditors of the bankrupt Getin Noble Bank. Zbigniew Ziobro stresses in it that the data collected in KRZ are “fully safe and processed in accordance with applicable law”.
In accordance with the Code of Civil Procedure and the Bankruptcy Law, all participants have access to the files of bankruptcy proceedings. This results from the principle of internal openness of civil proceedings, which guarantees equal rights to the participants in the proceedings.
– we read in the message of MS.
The provisions governing access to files of insolvency proceedings have been in force since 2003. So they were the same under the previous ministers of justice, as well as in the previous ‘paper’ system of handling these proceedings in the courts.
the resort adds.
At the same time, MS warns that persons who have gained unauthorized access to the system, e.g. “by falsely reporting claims” and comes into unlawful possession of data, is subject to criminal liability. “Such cases will be reported by the trustee to the prosecutor’s office” – explains MS.
Bankruptcy law allows access to case files to all participants in the proceedings, but only in court or through the trustee. “Here, tens of thousands of people (you also have to add proxies) can read and download very detailed information without moving from home and with one click” – we read.
Source: Gazeta

Mabel is a talented author and journalist with a passion for all things technology. As an experienced writer for the 247 News Agency, she has established a reputation for her in-depth reporting and expert analysis on the latest developments in the tech industry.