Klarna Privacy Incident Was ‘Self-Inflicted Bug’, Experts Weigh In

Klarna has experienced a data privacy incident that it says has affected 90,000 users. Some say they were able to see other users’ private information. Klarna is saying that the incident only compromised “non-sensitive data” as classified by GDPR.

Experts Comments

May 31, 2021
David Stewart
CEO
CriticalBlue - Approov

It's hard to say what caused this issue without more data, but it has all the hallmarks of a BOLA (Broken Object Level Authorization) vulnerability. Our recent security research into mHeath apps and APIs surfaced similar issues. The key lesson is understanding the importance of ensuring that the user getting the data is really authorized to do so and that this needs to be tracked all the way down the backend stack, not just on the perimeter.

.....Read More

It's hard to say what caused this issue without more data, but it has all the hallmarks of a BOLA (Broken Object Level Authorization) vulnerability. Our recent security research into mHeath apps and APIs surfaced similar issues. The key lesson is understanding the importance of ensuring that the user getting the data is really authorized to do so and that this needs to be tracked all the way down the backend stack, not just on the perimeter.

  Read Less
May 31, 2021
Andy Norton
European Cyber Risk Officer
Armis

Anything that can be used to personally identify a citizen of Europe is classified as GDPR controlled data. The app seems to have stored GDPR controlled data, such as profile settings, delivery address information, payment card data, and history of purchases. It appears a bad actor could have got products sent to an address and paid for it with the stored card information. Unfortunately, I believe Klarna will be dealing with this issue for longer than they would hope.

May 31, 2021
Lewis Jones
Threat Intelligence Analyst
Talion

Whilst Klarna is claiming that only non-sensitive data was compromised, reporting appears to indicate that sensitive data, including names, mobile numbers, addresses, financial details were visible during the incident. This would be classified as sensitive data and could land Klarna a heavy GDPR fine.

 

The difference between sensitive and non-sensitive data is that sensitive data shouldn’t be readily available from other open sources and contains information you wouldn’t want exposed on a

.....Read More

Whilst Klarna is claiming that only non-sensitive data was compromised, reporting appears to indicate that sensitive data, including names, mobile numbers, addresses, financial details were visible during the incident. This would be classified as sensitive data and could land Klarna a heavy GDPR fine.

 

The difference between sensitive and non-sensitive data is that sensitive data shouldn’t be readily available from other open sources and contains information you wouldn’t want exposed on a public record. On the other hand, non-sensitive data is data that would be readily available. However, this is all open to interpretation from the individual.

 

Klarna could find themselves with a large GDPR fine, however, an investigation will need to take place to define what, if any, sensitive information was breached. As well as a possible hefty fine a further consequence could be the damage to reputation and customer confidence with individuals more conscious of how their data is used by businesses. This isn’t the first time that Klarna has been investigated for potential data failings when back in 2020 The Information Commissioner’s Office (ICO) launched an investigation into apparent accidental misuse of data obtained from the online retailers to which it provides services.

  Read Less
May 31, 2021
Trevor Morgan
Product Manager
comforte AG

Any breach of personal information is potentially a serious one. Given that all the details are still fuzzy, we have to take them at face value: that sensitive information, including bank or card details, was not part of the revealed information and that any type of sensitive information like this was obfuscated. Of course, this is a fairly recent incident, so we need to give Klarna the time to investigate the situation and reveal more of the context and the fallout as the facts become known to

.....Read More

Any breach of personal information is potentially a serious one. Given that all the details are still fuzzy, we have to take them at face value: that sensitive information, including bank or card details, was not part of the revealed information and that any type of sensitive information like this was obfuscated. Of course, this is a fairly recent incident, so we need to give Klarna the time to investigate the situation and reveal more of the context and the fallout as the facts become known to them.

 

Sensitive information is not publicly available information that leaves a person vulnerable to compromise and can potentially be leveraged to commit any number of crimes, such as identity theft. Sensitive information can include identifying numbers such as social security numbers or payment card numbers. Non-sensitive information includes data that is usually publicly available and typically innocuous, such as a listed telephone number in the local phone book. Keep in mind, though, that what might seem initially non-sensitive can be used in aggregate with other pieces of information to build out a data profile which could actually compromise the victim.

 

Again, the facts all need to come to light after thorough investigations and the methodical uncovering of the facts around the incident. The important thing to note is the Klarna is following mandated processes by revealing the nature of the breach as they currently understand it and committing to reveal more information as clearer facts become known. At the end of the day, legal ramifications of any breach can always be significant depending on the circumstance, but the biggest ramification right now is reputational. How Klarna navigates the incident moving forward will largely determine the overall damage in the eyes of regulators and consumers.

  Read Less
May 31, 2021
Jake Moore
Cybersecurity Specialist
ESET

This highlights once again that we need to remain cautious of our data, which could easily be stolen or abused whether we’re directly targeted by bad actors or not. Although this mishap doesn’t appear to have been specifically targeted on any particular victims, it proves that we must be vigilant to attacks, should we ever be singled out due to a previous compromise of any level. 

 

Any data involving personal or financial information has the potential to reach the hands of those wanting to

.....Read More

This highlights once again that we need to remain cautious of our data, which could easily be stolen or abused whether we’re directly targeted by bad actors or not. Although this mishap doesn’t appear to have been specifically targeted on any particular victims, it proves that we must be vigilant to attacks, should we ever be singled out due to a previous compromise of any level. 

 

Any data involving personal or financial information has the potential to reach the hands of those wanting to abuse the situation. More robust barriers must be in place to protect our most valuable asset.

  Read Less
May 31, 2021
Steven Hope
CEO and co-founder
Authlogics

This incident is more of a leak than a breach as Klarna weren’t targeted in this instance, it was more a self-inflicted bug due to human error. The GDPR legislations lays out actions which must be taken depending on the classification of the data leaked, however timely disclosure is a key part that Klarna appear to have adhered to quite well.

 

Examples of “non-sensitive” data would include gender, date of birth, place of birth and postcode, whereas examples of “sensitive” data would

.....Read More

This incident is more of a leak than a breach as Klarna weren’t targeted in this instance, it was more a self-inflicted bug due to human error. The GDPR legislations lays out actions which must be taken depending on the classification of the data leaked, however timely disclosure is a key part that Klarna appear to have adhered to quite well.

 

Examples of “non-sensitive” data would include gender, date of birth, place of birth and postcode, whereas examples of “sensitive” data would include racial or ethnic origin, religious or political beliefs, sexual orientation etc. In contrast, examples of “personal” data would include names, email, location/address information which are far more specific to a person. We would imagine this is more of an embarrassing moment for Klarna and shouldn’t have longer term legal ramifications. We currently don’t expect to see data from this incident being found on the dark web, but if it is we will be looking for it.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.