Bonify and the Loss of Digital Identity

On October 1, 2025, a data protection incident came to light that further shook trust in the digital credit industry: Schufa subsidiary Forteil, operator of the Bonify service, confirmed that unauthorized access to user identification data had occurred. This was not about abstract metadata or technical logs, but real personal data: identity documents, addresses, photos, and video recordings, captured during the video identification process.

What Exactly Happened?

As first reported by heise online, an attack on Bonify resulted in the theft of sensitive user data collected during the onboarding process for new customers, specifically:

• Identity data
• Address information
• Photo and video data from the identification process

Forteil states that no passwords, bank data, or credit information were compromised. However, the loss of the mentioned information is sufficient to potentially enable significant identity misuse. Particularly problematic: the attack affects those who registered via video identification—a method that has increasingly gained traction due to its supposed user-friendliness.

Why This Incident Extends Beyond Bonify

Bonify sees itself as a digital interface between consumers and Schufa, promising more transparency in the otherwise opaque world of credit scores. At the same time, the service mediates loans and credit reports to third parties (e.g., for landlords), which has already been critically discussed in terms of data protection in the past. When this service itself becomes the victim of an attack, more is at stake than just a technical data leak.

It’s About Trust. And Systemic Risk.

• The incident shows how vulnerable digital identity infrastructures are—especially where personal data is aggregated, stored, and monetized.
• Those who sign up with Bonify not only open up their Schufa data but also provide a complete digital copy of their identity—including identity documents and facial recognition.
• The fact that these data are now in unknown hands is not only threatening for those affected but also for the entire trust in digital identity procedures.

The Open Questions

Many details remain unclear. Neither has it been stated how many users are affected, nor when exactly the compromise occurred. There is also no official statement from the service provider ID Now, through which the video identification process is handled—according to Heise, it is currently not assumed that the leak occurred there.

Additionally, another question arises: Why were these data stored permanently at all? The storage of sensitive video identification data is only very limitedly permissible under data protection law. A one-time verification should actually suffice—with immediate deletion thereafter.

What Affected Individuals Should Do Now

Even if no bank data is affected, the risk of identity theft is real. With an identity document, criminals can:

• Sign up for mobile contracts
• Open fake accounts on platforms
• Misuse payment service providers
• In combination with other leaks, even obtain loans or subscriptions

Those affected should therefore:

• File a report for identity theft
• Block the old ID and apply for a new one
• Place a warning notice with Schufa
• Watch out for suspicious emails, SMS, and calls
• And keep an eye on their own data with identity monitoring (Bonify currently provides this free for six months—questionable if that’s enough)

A Structural Problem

This incident is part of a long list of critical incidents involving players in the digital identity industry. It shows how narrow the line between innovation and risk is—and how important binding data protection standards, external audits, and technical minimum standards are. Those who market themselves as a “transparency initiative” must also be measured by the highest possible security.

Schufa itself is currently under increased scrutiny: In the wake of introducing a new scoring system and various court rulings, the pressure on the company to take consumer protection seriously is growing. The leak at Bonify falls into this phase—and undermines any PR offensive.

Conclusion: Identity Data is Not Collateral Damage

This is not about an email address or a phone number. It’s about what uniquely identifies a person—name, face, address, identity document. The misuse of these data can have long-term consequences, up to financial damage and legal complications.

Digital identity is a promise—but also a responsibility. Those who work with it need not only the consent of the users but also their trust. And that is precisely what Bonify has squandered in this case.