An IT specialist draws attention to a data leak that potentially affects hundreds of thousands of online retailers. But instead of a thank you, the police suddenly appear at his door.
Frankfurt – Data leaks keep causing a stir in Germany, especially when potentially hundreds of thousands of customers are affected. This is what happened in July 2021. An IT expert tracked down the leak and made it public how easy it was to access sensitive data such as payment information from customers of large online shops. Users of marketplaces such as Check24, Kaufland and Otto were potentially affected.
The problem was hidden behind a security hole. This enabled information from customers who bought from smaller retailers on the online marketplaces to be read out. According to information from Spiegel, up to 700,000 end customers were affected. However, the data leak was not with the dealers themselves, but with a company that acted as an interface service provider. An IT expert discovered the leak – and was reported for it.
Check24, Otto and Co. – data leak affects potentially hundreds of thousands of customers
The aforementioned interface service provider, Modern Solutions, support retailers in offering their products on various online marketplaces. Such a dealer now had to struggle with a problem with the software and hired an IT specialist. This found the security hole. As Spiegel reports, this was also due to the functionality of the Modern Solutions software.
Because access data to the server of the interface service provider were stored in this software, which could be read out. This made it possible to access a large amount of customer data stored on the servers. “You have to imagine that there is a program that aggregates all data from all dealers and from their marketplaces. And then they had stored the password for their databases in plain text and without encryption, and on top of that, they hadn’t deleted customer data on the server for years, ”the expert told Spiegel. It is unclear whether this data leak, which has apparently existed for years, has already been exploited by third parties.
The programmer reports a data leak, then the police are in his company
The programmer then sent an email to the company and told them about the problem over the phone. “In the telephone conversation, however, the company denied the security gap,” said the IT specialist to the Golem.de portal. He had also turned to the operator of a website and described the case to him. The first article on the topic was published on Mark Steier’s website, which specializes in online trading, at the end of June 2021. But that doesn’t end the case, it turns into a real crime thriller. Because, as the Otto online store told Spiegel, the Modern Solutions system continued to be insecure, even after it was declared that the security gap had been fixed.
A few months have passed by now, but the situation does not seem to have calmed down. As reported by Golem.de, among others, the IT specialist was suddenly surprised by a house search on September 15th. The log of the search is available to the portal, among other things the reason is “spying on data”. Instead of thanking you for finding the vulnerability, the programmer was reported. The website operator Mark Steier was also reported after he had reported on the case. At the request of Golem.de, Modern Solutions did not want to comment further, they cited ongoing investigations.
During the house search at the IT expert’s company, several notebooks and hard drives as well as two USB sticks and his cell phone were confiscated. In order to get financial help for the upcoming legal battle, he turned to a fundraising website. With the money he hopes to defend himself against the allegations.
Hundreds of thousands affected by data leak: Lilith Wirrmann with a clear demand
Lilith Wittmann commented on the incident on Twitter. Your case shows certain parallels. She had proven security gaps in the CDU’s election campaign app. As a result, criminal charges were brought against them, but withdrawn after increasing public pressure from the CDU. She demanded in a tweet: “Okay, we really need a list for companies / organizations that have been permanently disqualified for Responsible Disclosures.” (Sophia Lother)
