Klarna Privacy Incident Was ‘Self-Inflicted Bug’, Experts Weigh In

Klarna has experienced a data privacy incident that it says has affected 90,000 users. Some say they were able to see other users’ private information. Klarna is saying that the incident only compromised “non-sensitive data” as classified by GDPR.

Notify of

6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
David Stewart
InfoSec Expert
May 31, 2021 12:29 pm

<p>It\’s hard to say what caused this issue without more data, but it has all the hallmarks of a BOLA (Broken Object Level Authorization) vulnerability. Our recent <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUXsW-2Ff9nBaXELW3V-2FKbqk78Qsny7r7w1ith-2FNlAyxhC57cqs_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2Bxhf2CwJ8738zIzfT-2BI3BZQiCio-2B-2B6wad-2FRyUq1-2F-2FcoLyorPx4n-2BivWBcvHO66iMAonAGuoiC8rdbYzUe5SyjeZeVt41Cso2TWENfYlFoea7kg-2Fq7RW9H6rvmIau21NjOWThPPITL5yoLw14FzhqajN1ch8E7eH7dMdAnoyTOBJtcyG0U0xWs8aYz4MGsaIqziZFnq6Iu16CVTYdBjfjAHTwrvNnkFkpUsdiWkuyHkYx4U\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUXsW-2Ff9nBaXELW3V-2FKbqk78Qsny7r7w1ith-2FNlAyxhC57cqs_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2Bxhf2CwJ8738zIzfT-2BI3BZQiCio-2B-2B6wad-2FRyUq1-2F-2FcoLyorPx4n-2BivWBcvHO66iMAonAGuoiC8rdbYzUe5SyjeZeVt41Cso2TWENfYlFoea7kg-2Fq7RW9H6rvmIau21NjOWThPPITL5yoLw14FzhqajN1ch8E7eH7dMdAnoyTOBJtcyG0U0xWs8aYz4MGsaIqziZFnq6Iu16CVTYdBjfjAHTwrvNnkFkpUsdiWkuyHkYx4U&source=gmail&ust=1622548483998000&usg=AFQjCNEx-D0mDQTeDUspmgyKZAg4vtAHjg\">security research into mHeath apps and APIs</a> surfaced similar issues. The key lesson is understanding the importance of ensuring that the user getting the data is really authorized to do so and that this needs to be tracked all the way down the backend stack, not just on the perimeter.</p>

Last edited 1 year ago by David Stewart
Andy Norton
Andy Norton , European Cyber Risk Officer
InfoSec Expert
May 31, 2021 12:20 pm

<p>Anything that can be used to personally identify a citizen of Europe is classified as GDPR controlled data. The app seems to have stored GDPR controlled data, such as profile settings, delivery address information, payment card data, and history of purchases. It appears a bad actor could have got products sent to an address and paid for it with the stored card information. Unfortunately, I believe Klarna will be dealing with this issue for longer than they would hope.</p>

Last edited 1 year ago by Andy Norton
Lewis Jones
Lewis Jones , Threat Intelligence Analyst
InfoSec Expert
May 31, 2021 12:18 pm

<p>Whilst Klarna is claiming that only non-sensitive data was compromised, reporting appears to indicate that sensitive data, including names, mobile numbers, addresses, financial details were visible during the incident. This would be classified as sensitive data and could land Klarna a heavy GDPR fine.</p> <p> </p> <p>The difference between sensitive and non-sensitive data is that sensitive data shouldn’t be readily available from other open sources and contains information you wouldn’t want exposed on a public record. On the other hand, non-sensitive data is data that would be readily available. However, this is all open to interpretation from the individual.</p> <p> </p> <p>Klarna could find themselves with a large GDPR fine, however, an investigation will need to take place to define what, if any, sensitive information was breached. As well as a possible hefty fine a further consequence could be the damage to reputation and customer confidence with individuals more conscious of how their data is used by businesses. This isn’t the first time that Klarna has been investigated for potential data failings when back in 2020 The Information Commissioner’s Office (ICO) launched an investigation into apparent accidental misuse of data obtained from the online retailers to which it provides services.</p>

Last edited 1 year ago by Lewis Jones
Trevor Morgan
Trevor Morgan , Product Manager
InfoSec Expert
May 31, 2021 12:02 pm

<p>Any breach of personal information is potentially a serious one. Given that all the details are still fuzzy, we have to take them at face value: that sensitive information, including bank or card details, was not part of the revealed information and that any type of sensitive information like this was obfuscated. Of course, this is a fairly recent incident, so we need to give Klarna the time to investigate the situation and reveal more of the context and the fallout as the facts become known to them.</p> <p> </p> <p>Sensitive information is not publicly available information that leaves a person vulnerable to compromise and can potentially be leveraged to commit any number of crimes, such as identity theft. Sensitive information can include identifying numbers such as social security numbers or payment card numbers. Non-sensitive information includes data that is usually publicly available and typically innocuous, such as a listed telephone number in the local phone book. Keep in mind, though, that what might seem initially non-sensitive can be used in aggregate with other pieces of information to build out a data profile which could actually compromise the victim.</p> <p> </p> <p>Again, the facts all need to come to light after thorough investigations and the methodical uncovering of the facts around the incident. The important thing to note is the Klarna is following mandated processes by revealing the nature of the breach as they currently understand it and committing to reveal more information as clearer facts become known. At the end of the day, legal ramifications of any breach can always be significant depending on the circumstance, but the biggest ramification right now is reputational. How Klarna navigates the incident moving forward will largely determine the overall damage in the eyes of regulators and consumers.</p>

Last edited 1 year ago by Trevor Morgan
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
May 31, 2021 11:59 am

<p>This highlights once again that we need to remain cautious of our data, which could easily be stolen or abused whether we’re directly targeted by bad actors or not. Although this mishap doesn’t appear to have been specifically targeted on any particular victims, it proves that we must be vigilant to attacks, should we ever be singled out due to a previous compromise of any level. </p> <p> </p> <p>Any data involving personal or financial information has the potential to reach the hands of those wanting to abuse the situation. More robust barriers must be in place to protect our most valuable asset.</p>

Last edited 1 year ago by Jake Moore
Information Security Buzz
Would love your thoughts, please comment.x