[German]I already know why I don't let financial service providers or fintechs access my bank accounts via app. According to media reports, Swedish payment service provider Klarna experienced a serious data protection breach. Users who used the Klarna app were able to view the data and transactions of third-party users for a short time this Thursday morning (May 27, 2021). The provider took the app offline after the data breach became known.
Advertising
Klarna is a Swedish payment provider headquartered in Stockholm. The company offers payment solutions in the e-commerce sector. Its core service is to take merchants' payment claims and process their customer payments from that point on. According to the company, a total of 200,000 online merchants in 17 countries use Klarna, meaning that 90 million end consumers use the company's payment methods. On its website, Klarna promotes its app that can make shopping smarter (Smooth Shopping). Favorite items can be saved and shared, purchases can be managed and paid for – and as a carrot, there are sale alerts and deals.
The data breach
I became aware of the serious data breach via the following tweet, which has since been confirmed by Swedish payment service provider Klarna.
Disruption to the Klarna consumer app
Monitoring – Klarna log in is now available for all platforms in all locations.
May 27, 17:47 CESTUpdate – Consumers can now login to Klarna at app.klarna.com. We will provide further updates regarding our mobile apps in the near future.
May 27, 16:24 CESTUpdate – Consumers in the EU can now login to Klarna at app.klarna.com. We will provide further updates regarding both other regions and our mobile apps in the near future.
May 27, 16:15 CESTUpdate – We are continuing to investigate issues with the Klarna consumer app. In the meantime, customers can still continue to make purchases using Klarna. We apologize for the disruption.
May 27, 14:02 CESTUpdate – We are currently experiencing system disturbances caused by a technical error. We are doing our utmost to return our system and services to full capacity and apologize for any inconvenience this is causing. While we are addressing the issue, customers are unable to log into the app.
May 27, 12:01 CESTInvestigating – Technical teams are investigating the issue.
May 27, 11:32 CEST
After an app update, users noticed that they were suddenly shown the data and transactions of other users in the app. Numerous users complained about this behavior on Twitter.
Anyone who logged out and back in multiple times was shown the data of different customers in each case. According to media reports, 90,000 users (around 0.1 percent of accounts) were affected. Klarna says its due to a "human error". This error was caused by an update applied at 10:50 a.m. and lasted 31 minutes, the company said. In the linked article on Golem, Klarna's statement is quoted thus:
Advertising
The error caused random user data to become visible to incorrect users when accessing our user interface. It is extremely important for us to emphasize that the access to the data was completely random and no card or bank data was displayed (encrypted data was visible). […]
In accordance with the GDPR standards, only non-sensitive data was disclosed. However, we recognize that what is considered non-sensitive is perceived very individually, and we always set our own standards higher than those of legal regulations such as the GDPR.
Klarna writes that it was not possible to access the data of a specific user. Whether the whole thing was relevant under DSGVO or not should be judged by the data protection authorities – I mean, it is already DSGVO relevant if I can see the transaction data of third parties – even if it was random. And users also disagree with Klarna's representation. The company is a repeat offender, by the way, because during research I came across this article from Feb. 2020. At the time, Klarna users noticed that entering their zip code and email address was enough to fill order forms with additional data. The forms are then automatically pre-filled with address data, or even date of birth or phone number. And in October 2020, data protection regulators launched an investigation because the company sent a newsletter to users without their consent, according to the BBC.
