View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Theme
  2. Technology
  3. Cybersecurity
May 27, 2021updated 24 Jan 2022 7:27am

Breaking: Klarna down after “self-inflicted incident” apparently lets 90,000 users see others’ accounts

By Eric Johansson

Buy-now-pay-later tridecacorn Klarna has shut out users from its services after suffering “a self-inflicted incident”, which reportedly let approximately 90,000 users see other people’s accounts.

The Swedish fintech company is valued over $31bn after a $1bn round in March. In the afternoon on Thursday, the BNPL giant closed its service for users. Visitors to Klarna’s website are met with the message:

“We are currently experiencing system disturbances caused by a technical error. We apologise for any inconvenience this is causing. Whilst we are addressing the issue, customers are unable to log into the app.”

Klarna’s CEO Sebastian Siemiatkowski tweeted: “So sad and frustrating to realize that we have had a self-inflicted incident, for 30 min, affecting the privacy of some of our users. Full attention from all colleagues to bring back things to normal, take actions to avoid this going forward and communicate broadly. More to come”

He subsequently posted a blog post about the incident on Klarna’s website, suggesting that while the incident affected about 90,000 customers, it only shared data deemed as non-sensitive by the General Data Protection Regulation (GDPR).

“Trust is at the very core of Klarna and banking,” Siemiatkowski writes. “This is why we are sad and frustrated to inform you of a self-inflicted incident, that for 31 min affected up to 0.1%, approximately 90 000, of our users.

“The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). This means that it has been impossible to access a specific user’s data. According to GDPR standards, only non-sensitive data was exposed. However we recognize that what is deemed non-sensitive is very individual, and we set our own standards higher than GDPR.”

The CEO stated that bug was detected at 11.04 CET on Thursday, 15 minutes after an update had been introduced. The bug affected Klarna’s app users.

“Our payment services, the Klarna Card, the merchant checkouts and the merchant’s user interfaces, were completely unaffected by this,” Siemiatkowski said. “At 11.20.42 CET the error was deemed to be contained and fixed.

“It’s concluded that a human error caused the bug and it was not an external breach of our systems. Unfortunately, an inadequate risk assessment of a subsystem allowed for a handling error to be introduced into our live systems without proper quality assurances. As the root cause was quickly identified, we immediately took appropriate actions with dedicated teams working on this as a top priority.”

The Klarna boss claims that since the company has identified the root cause of the problem, it has rolled back the bug, is preparing to take the system live, has “informed appropriate authorities”.

Klarna is now working on analysing the incident to “understand exactly which consumers have been affected and how” and to understand “how the risk assessment of the specific systems was invalid, to implement appropriate actions to avoid this and similar incidents going forward.”

Siemiatkowski concluded: “We are truly sorry for any inconvenience. Our customers’ trust and safety are our top priority, which makes situations like these extra important to us.”

The post seemingly confirms the story of one Twitter user that had flagged the problem earlier in the day. The user with the profile name esra efe laborde claims that she has been able to see other people’s accounts when she’s logged into the platform.

“Each time I tried to log in to my @Klarna account this morning, I’m on someone else’s account? Does this also mean someone else might currently be my on account? What the hell is going on?!!” she tweeted.

Attached screenshots appear to support this.

Klarna’s customer service account has replied, tweeting:

“We are currently experiencing system disturbances caused by a technical error. We apologise for any inconvenience this is causing. Whilst we are addressing the issue, customers are unable to log into the app.”

According to Swedish newspaper Dagens Industri, financial markets regulator Finansinspektionen has contacted Klarna about the incident.

Verdict has updated the story to include Siemiatkowski’s statment and will update this story as it evolves.

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU