Status: 12.01.2022 at 6:09 PM.
The sensitive data of users of many online shops has remained unprotected on the Internet for years. To plus minusThis information has not been given to the customers yet.
Mail and postal addresses, order information, telephone numbers and in some cases even bank details: more than a million data records from an estimated 700,000 users across Germany are affected by massive security gaps. As a result, they have been unsafe on the Internet for many years.
Data leak at an interface service provider
Larger platforms Otto, Kaufland and Mediamark also operate marketplaces on their pages. Outside dealers present their products there. In order to be able to sell on the platforms, dealers connect their merchandise management systems to online marketplaces through so-called interface service providers. The respective platforms provide interfaces for this. Service providers can dock on this.
They then process the customer’s order data for the dealer. There are about a dozen such interface service providers in Germany. One of them had insecure data. The following marketplaces have been affected by the data leak: Otto, Kaufland (formerly Real), Mediamarkt, Check24, Tier24, Idolo, Hood and Crowdfox.
Who’s in charge?
This flaw was discovered by a programmer in the summer of 2021. Data leak has been stopped, affected customers are behind ARD-Research has not yet received this information. plus minus Was able to view data records exclusively and talk to affected customers. One of them is Christa Reese-Zunft. She ordered several pillow fillings on Kaufland.de in March 2021. Due to the data leak, your postal and e-mail address as well as your invoice and order details were online. “I think the data is safe. Platforms have to inform people about it,” said the Stuttgart resident.
The Platforms state that they are not responsible for the marketplace under the data protection law. Kaufland explains the opposite plus minusHe is merely an “intermediary between the customers and the dealers”. Dealers are the direct contractual partners of the customers. Therefore, dealers are also responsible for the security of customer data.
Responsible state data protection officers have already investigated the data leak. The fact that affected customers have not been notified for months is a “serious and reprehensible process” for Stefan Brink, the state data protection officer of Baden-Württemberg.
The data is already in the darknet?
Swiss IT security expert Mark Roof has plus minus Analyzes the data and checks if it has possibly already been traded on the darknet. “The data is very specific, it includes payment information. You can use it to fill out phishing emails or commit identity theft,” Roof says. However, it is now unclear whether the relevant data sets were actually traded on the darknet – as the data leak had existed for three years.
ARD magazine PlusMinus will report on the subject today at 9:24 pm.