Data leak at payment service provider Klarna: third-party accounts visible

For a short time, the Klarna app displayed other people's data. Klarna immediately took the app offline and speaks of a human error.

Swedish payment service provider Klarna suffered a serious data leak on Thursday morning due to "technical problems". Users of the app report that they were able to view the data and transactions of various other people. Klarna has confirmed this and said it immediately took the app offline. In the meantime, at least the login via the website is available again.

According to numerous tips on Twitter and from readers, the Klarna app displayed various accounts, just not their own. Readers report that they were always able to view other third-party accounts during a reload. Bank details, orders, open invoice amounts, names, addresses and telephone numbers were visible.

Thousands of users affected

Klarna confirmed the incident. For about half an hour on Thursday morning, users were shown random third-party user data, a spokeswoman told heise online. However, only around 9500 of the total of 90 million active customers were affected by this, she said. Initially, the company had assumed that 90,000 were affected (see also update at the end of the article).

"It is extremely important for us to emphasize that the access to the data was completely arbitrary and no card or bank data was displayed," the spokeswoman stressed. Name, addresses, phone numbers, verified email addresses and images of orders were affected, she said. "Bank details of customers, tax number and card details were not visible." However, Klarna admits that "obfuscated data" was visible - that is, the masked card and account numbers.

"Only non-sensitive data"

Measured against the GDPR standard, only non-sensitive data was disclosed, the spokeswoman continued. "However, we recognize that what is considered non-sensitive is perceived very individually and we always set our own standards higher than those of legal regulations such as the GDPR."

Klarna insists that an internal error caused the incident and that it was "not an external intervention in our systems." Following a human operator error, a faulty software update had been uploaded to the live system on Thursday morning, the company said. After the error was discovered and the cause identified, the app was immediately taken offline.

Authorities informed

The payment service provider has informed the relevant authorities about the incident. Klarna now wants to first find out which users are affected and to what extent. In addition, internal processes are to be reviewed to ensure that such a mishap does not happen again. "We would like to sincerely apologize for any inconvenience," the spokeswoman said.

The payment service provider Klarna is no longer an unknown quantity in Germany, at least since the acquisition of Sofort AG in 2013. The company offers various payment methods for merchants and customers, including Sofortüberweisung or purchase on account. Klarna is expanding its product range. Since the beginning of the year, Klarna has also offered an account in Germany. Most recently, the company raised one billion US dollars from investors.

Comments

Post a Comment

Popular posts from this blog

Chrome targeted by criminals: Why users need to update quickly now

A security vulnerability in Google Chrome is currently being exploited by cyber criminals. Malware could land on your PC through it. Read here how you can protect yourself. The Google Chrome browser is currently struggling with some security vulnerabilities. In a blog post , Google warns about a total of seven vulnerabilities, with the majority of these gaps being classified as a "high" threat to users. The vulnerabilities have been fixed in the latest version of Chrome for Windows, Linux and macOS. If you have Chrome version 90.0.4430.85 installed, it can no longer be exploited. If you have an older version of the browser installed, you should update urgently. You can find the download of the new version below these lines. Smartphone users do not have to be afraid of the security vulnerability. Google has not had to take any security measures here for the time being. The security vulnerability probably remained undiscovered by cyber criminals for the time being. So far, noth...
Read more

Face and voice recognition: Why TikTok wants to be allowed to collect biometric data in the USA

TikTok's privacy policy for the US now mentions the collection of biometric data from faces and voices. The background is likely to be a legal dispute that cost the company $92 million. Neue Datenschutzbestimmungen sind oft eher etwas für Juristen, doch die jüngste Aktualisierung von TikTok sollte alle Nutzerinnen und Nutzer in den USA aufhorchen lassen. Denn in den am 2. Juni aktualisierten Datenschutzbestimmungen für die USA ist ein Abschnitt enthalten, den es zuvor nicht gab. Er lautet übersetzt: »Wir sammeln möglicherweise biometrische Identifikationsmerkmale und biometrische Informationen, wie sie im US-Recht definiert sind, wie etwa von deinem Gesicht und deiner Stimme, aus deinen Inhalten.« Im englischsprachigen Original ist von »faceprint« und »voiceprint« die Rede. »Bevor wir damit anfangen«, frage man jedoch nach dem Einverständnis, wenn dies gesetzlich nötig sei, fügte noch TikTok hinzu. In response to an initial inquiry from "TechCrunch" about the ba...
Read more

Microsoft Teams, Zoom, WebEx: Berlin authority warns against popular video systems

After an initial data protection audit, some video service providers have made improvements to their offerings. But the Berlin data protection commissioner still sees serious shortcomings. The State Commissioner for Data Protection in Berlin (Germany), Maja Smoltczyk, advises against using leading video conferencing systems such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting, Teamviewer and Cisco WebEx. The reason is a retest of various offerings. After a number of services had already failed a test of data protection requirements last year, a new test of the major providers did not reveal any substantial improvement. Smoltczyk said that she was pleased "that our comments had persuaded so many providers to improve their offerings, in some cases very significantly, in terms of data protection". There are now enough legally compliant services for a wide range of purposes that there is no reason to break data protection law for video conferencing. However, if a provid...
Read more