May 27, 2021

Klarna down after “self-inflicted incident” apparently lets 9,500 users see others’ accounts

By Eric Johansson

Buy-now-pay-later tridecacorn Klarna has shut out users from its services after suffering “a self-inflicted incident”, which reportedly let approximately 9,500 users see other people’s accounts.

The Swedish fintech company is valued over $31bn after a $1bn round in March. In the afternoon on Thursday, the BNPL giant closed its service for users. Visitors to Klarna’s website are met with the message:

“We are currently experiencing system disturbances caused by a technical error. We apologise for any inconvenience this is causing. Whilst we are addressing the issue, customers are unable to log into the app.”

Klarna’s CEO Sebastian Siemiatkowski tweeted: “So sad and frustrating to realize that we have had a self-inflicted incident, for 30 min, affecting the privacy of some of our users. Full attention from all colleagues to bring back things to normal, take actions to avoid this going forward and communicate broadly. More to come”

He subsequently posted a blog post about the incident on Klarna’s website, suggesting that while the incident affected about 90,000 customers, it only shared data deemed as non-sensitive by the General Data Protection Regulation (GDPR).

“Trust is at the very core of Klarna and banking,” Siemiatkowski writes. “This is why we are sad and frustrated to inform you of a self-inflicted incident, that for 31 min affected up to 0.1%, approximately 90 000, of our users.

“The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). This means that it has been impossible to access a specific user’s data. According to GDPR standards, only non-sensitive data was exposed. However we recognize that what is deemed non-sensitive is very individual, and we set our own standards higher than GDPR.”

The CEO stated that bug was detected at 11.04 CET on Thursday, 15 minutes after an update had been introduced. The bug affected Klarna’s app users.

“Our payment services, the Klarna Card, the merchant checkouts and the merchant’s user interfaces, were completely unaffected by this,” Siemiatkowski said. “At 11.20.42 CET the error was deemed to be contained and fixed.

“It’s concluded that a human error caused the bug and it was not an external breach of our systems. Unfortunately, an inadequate risk assessment of a subsystem allowed for a handling error to be introduced into our live systems without proper quality assurances. As the root cause was quickly identified, we immediately took appropriate actions with dedicated teams working on this as a top priority.”

The Klarna boss claims that since the company has identified the root cause of the problem, it has rolled back the bug, is preparing to take the system live, has “informed appropriate authorities”.

Klarna is now working on analysing the incident to “understand exactly which consumers have been affected and how” and to understand “how the risk assessment of the specific systems was invalid, to implement appropriate actions to avoid this and similar incidents going forward.”

Siemiatkowski concluded: “We are truly sorry for any inconvenience. Our customers’ trust and safety are our top priority, which makes situations like these extra important to us.”

A few hours later the Klarna CEO tweeted: “We previously reported ‘up to 90 000, of our users could have been affected’. While obviously even a single exposure is unacceptable, continuous work on exact impact assessment has significantly reduced this so it most likely not more than 9,500. More updates to come.”

The post seemingly confirms the story of one Twitter user that had flagged the problem earlier in the day. The user with the profile name esra efe laborde claims that she has been able to see other people’s accounts when she’s logged into the platform.

“Each time I tried to log in to my @Klarna account this morning, I’m on someone else’s account? Does this also mean someone else might currently be my on account? What the hell is going on?!!” she tweeted.

Attached screenshots appear to support this.

Klarna’s customer service account has replied, tweeting:

“We are currently experiencing system disturbances caused by a technical error. We apologise for any inconvenience this is causing. Whilst we are addressing the issue, customers are unable to log into the app.”

According to Swedish newspaper Dagens Industri, financial markets regulator Finansinspektionen has contacted Klarna about the incident.

Siemiatkowski claims that only information classified as non-sensitive by GDPR was compromise in Klarna’s bungling its update, but the difference between non-sensitive and sensitive data is not clear to everyone.

“Sensitive data are defined as a special category of personal data that needs more protection, especially when it comes to the processing of this data,” Laura Petrone, senior analyst at GlobalData, tells Verdict. “The category includes a person’s race or ethnicity, political and religious believes, health condition, sexual orientation, criminal filings and court proceedings. So non-sensitive data are all personal data not falling into this category.”

Breaching GDPR is a serious offence that could have far-reaching consequences for a company.

“According to GDPR, companies must notify authorities within 72 hours if there is a data breach, of both sensitive and non-sensitive data, and customers must be informed in a timely manner if the breach poses a risk to them,” Petrone explains.

“Non complaint organisations can be fined up to €20m ($22m) or 4% of annual global turnover, whichever is higher. As an example, applying data protection regulation, the Information Commissioner’s Office in the UK fined Facebook a maximum £500,000 ($625,000) in 2018 for failing to safeguard users’ information in the Cambridge Analytica scandal.”

It is unclear if the compromised data in this incident would constitute a breach to GDPR. But Lewis Jones, threat intelligence analyst at Talion, tells Verdict that a potential fine isn’t the only risk Klarna faces following the incident.

“As well as a possible hefty fine a further consequence could be the damage to reputation and customer confidence with individuals more conscious of how their data is used by businesses,” Jones says.

Verdict has updated the story to include Siemiatkowski’s statements and will update this story as it evolves.