28 May 2021 at 15:04 UTC
Updated: 31 May 2021 at 10:58 UTC
Fintech firm rules out external attack
E-commerce payment provider Klarna has apologized for a security incident on Thursday morning that resulted in users getting signed into other members’ accounts when they logged in.
Users were able to see the name, associated postal address, purchases, and payment methods of other users because of the glitch. Partial banking details were also visible, according to early reports from Sweden.
Some Klarna users on social media reported that every time they logged in they were confronted with a different, seemingly random, user’s details.
In response, Sweden-based Klarna temporarily suspended its app services while it dealt with the data leak issue. The problem was quickly traced to a bug introduced during an update to Klarna’s systems rather than any external breach.
The fintech firm was able to resolve the issue by rolling back the faulty update before restoring services.
In a statement, Klarna said the issue affected a total of 9,500 app users over the course of 31 minutes, adding that only app logins were affected by the issue. The fintech firm nonetheless promised to review its software release process, as a precaution.
At 11:04 am CET this morning, we discovered that an update introduced 15 min earlier had led to an error affecting our app users. Our payment services, the Klarna Card, the merchant checkouts, and the merchant’s user interfaces, were completely unaffected by this. At 11.20.42 am CET the error was deemed to be contained and fixed.
It is concluded that a human error caused the bug, and it was not an external breach of our systems. Despite following our set release process, we could still deploy a bug into our systems. This deems our release process to require reviewing and improvement to prevent errors like these in the future.
Steven Hope, CEO and co-founder of Authlogics, said that Klarna’s privacy flap arose as the result of a self-inflicted bug.
“This incident is more of a leak than a breach as Klarna weren’t targeted in this instance, it was more a self-inflicted bug due to human error,” Hope said. “The GDPR legislation lays out actions which must be taken depending on the classification of the data leaked, however timely disclosure is a key part which Klarna appear to have adhered to quite well.”