Sensitive data from several online shops has been lying unprotected on the Internet for years

2 min
Tags: online shops sensitive data unprotected vulnerability Internet marketplaces IT security

Sensitive data from several online shops has been lying unprotected on the Internet for years

In fact, it was bank details, telephone numbers, order information, as well as postal addresses and email addresses that were stored on the Internet for years without protection. This data came from online stores, and it is estimated that over 700,000 users in Germany were affected. This is a massive security vulnerability. Corresponding to this vulnerability, this highly sensitive data was floating around unprotected on the Internet for several years.

The service provider of the interface and the data leak

Today it is quite normal for various marketplaces to be offered online by providers such as Media-Markt, Kaufland or Otto. There it is also possible for every external retailer with a connection to the provider to offer his products. For this sale, an interface is set up by a service provider. This connects the merchandise management system with the online marketplace. These interfaces are provided by the respective platform. This is how the service provider can connect.

Accordingly, the order data of customers and users is passed on to the retailers and processed. There are several such interface service providers; in Germany, there are about a dozen. However, one of these service providers had a massive data leak, leaving the data unprotected. The following marketplaces are affected:

·       idealo
·       Media-Markt
·       Kaufland
·       Otto
·       Check24, Tyre24
·       Hood
·       Crowdfox

From a legal point of view, however, the platforms are not at all responsible for the reprocessing and the data leak. Most providers are not fulfilling their responsibility; the affected customers were not even informed about the data leak.

Accidental discovery

It was not until the summer of 2021 that this security vulnerability was discovered by a programmer. Although the data leak was closed immediately, customers are unaware of their situation. However, there are ways to view the affected records exclusively. It would also theoretically be possible to inform customers accordingly. However, each platform directly points out that it is not responsible for the respective marketplace in terms of data protection. The platforms are more or less only acting as intermediaries between the customer and the retailer. Therefore, it is the retailer who acts as a direct contractual partner to the customer. Subsequently, it is also the retailer who is responsible for processing the customer data.

Situation still unclear

At the moment, the situation of the data leak is being investigated by the responsible state data protection commissioners. The fact that customers have nevertheless not been informed about this for months is more than scandalous and serious at the same time.

IT security experts have now reviewed and analyzed this data, and it is suspected that it is also being traded on the darknet. Many data also contain payment information, which in turn is ideal for criminals and their phishing mails. This can be used to commit identity theft. Meanwhile, it is not yet clear whether the data is actually being traded on the darknet or not. In total, the data leak existed for three years.