Status: 12.01.2022 6:09 p.m.
Sensitive data of the users of several online shops lay unprotected on the Internet for years. To Plus minus-The customers have not yet been informed of this.
Mail and postal addresses, order information, telephone numbers and in some cases even bank details: more than a million data records from an estimated more than 700,000 users across Germany are affected by a massive security gap. As a result, they have been unprotected on the Internet for several years.
Data leak at an interface service provider
The large platforms Otto, Kaufland and Mediamarkt also operate marketplaces on their pages. External dealers offer their products there. In order to be able to sell on the platforms, the dealers connect their merchandise management system with the online marketplace via so-called interface service providers. The respective platforms provide interfaces for this. The service providers can dock on this.
They then process the customer’s order data for the dealer. There are around a dozen such interface service providers in Germany. One of them had data unprotected. The following marketplaces are affected by the data leak: Otto, Kaufland (formerly real), Mediamarkt, Check24, Tyre24, idealo, Hood and Crowdfox.
Who is in charge?
The loophole was discovered by a programmer in the summer of 2021. The data leak has been closed, the affected customers are behind ARDResearch has not yet been informed about it. Plus minus was able to view the data records exclusively and speak to affected customers. One of them is Christa Reise-Zunft. She had ordered several pillow fillings on Kaufland.de in March 2021. Due to the data leak, your postal and e-mail address as well as your invoice and order details were online. “I think the data is protected. The platforms have to notify people about it,” said the Stuttgart resident.
The platforms point out that they are not responsible for the marketplaces under data protection law. Kaufland explains opposite Plus minusthat one is only “an intermediary between customers and dealers”. The dealers are the direct contractual partners of the customers. Therefore, the dealers are also responsible for protecting customer data.
The responsible state data protection officers have already investigated the case of the data leak. The fact that the affected customers have not been informed for months is a “serious and scandalous process” for Stefan Brink, the state data protection officer of Baden-Württemberg.
Data already in the darknet?
The Swiss IT security expert Mark Ruef has for Plus minus analyzes the data and checks whether it has possibly already been traded on the Darknet. “The data is very specific, it also includes payment information. You could use it to fill phishing emails or commit identity theft,” says Ruef. However, it can no longer be clarified whether the data sets concerned were actually traded on the Darknet – because the data leak had existed for three years.
The ARD magazine Plusminus will report on this topic this evening at 9:24 p.m.