Huge data leak: Otto, Media Markt and others affected - customers have to act

Created: 01/14/2022 13:59

By: Paul Broeker

Unencrypted: More than 700,000 users are affected by a huge data leak.

However, the trading platforms do not feel responsible for data protection themselves and refer to the individual dealers.

© Patrick Pleul/dpa

An IT specialist finds a huge data leak on popular online marketplaces.

But the platforms push the responsibility from themselves.

Kassel – It is not always just the large American Internet companies that are affected by data leaks.

Just last year, a leak with 500,000 user data became public on Facebook.

During maintenance on behalf of a German online retailer, a programmer discovered a huge data leak in large online marketplaces such as Media Markt* in the middle of last year.

It is estimated that more than 700,000 users in Germany are affected.

User data from the following online marketplaces have probably been unprotected on the Internet for several years:

• Otto

• Kaufland (formerly real)

• media market

• Check24

• Tyre24

• ideal

• hood

• crowdfox

It would have been easy for criminals to steal the data and use it for fraud attempts.

However, it is not yet clear whether this has happened.

According to tagesschau.de, the data below contains e-mail and postal addresses, order information, telephone numbers and sometimes even bank details.

It is unclear whether passwords are also affected.

Huge data leak at Otto, Mediamarkt and Co.: Marketplaces shift data protection to retailers

Although the case became known in July 2021 at the latest, most of the affected users still do not know about it.

The SWR investigative format Plusminus therefore addressed the security gap in its latest program (01/12/2022).

Accordingly, the major trading platforms have not informed their users about the data leak to date.

The platforms see themselves in the right and refer to the individual traders who connect to their platforms via interfaces.

They themselves are not responsible for the marketplaces under data protection law.

Kaufland explains to Plusminus that they are only “intermediaries between customers and dealers”.

The dealers are the direct contractual partners of the customers.

Therefore, the dealers are also responsible for the protection of customer data.

A data leak had occurred at an IT company that provides an interface to the trading platforms.

According to Plusminus, the state data protection officer of Baden-Württemberg, Stefan Brink, sees the procedure of the online marketplaces as a "serious and scandalous process".

The customers should have been informed about the data leak.

What experts recommend after the data leak: Check suspicious account transactions

But what can potentially affected customers do now?

Data protection officer Stefan Brink advises them to keep an eye on their bank account and to check for suspicious debits.

In addition, be careful with phishing emails.

With this scam, criminals pretend to be writing in the name of an official online shop with deceptively real cover letters.

Customers are supposed to enter personal data, such as passwords, on a prepared website, which the fraudsters then fish out.

Corresponding mails should be deleted and never click on links in the mail text.

In addition, according to swrfernsehen.de, the data protection expert and former data protection officer of Schleswig-Holstein, Thilo Weichert, recommends checking reliable databases to see whether one's own data has already been misused. The Identity Leak Checker of the Hasso Plattner Institute and the website Have I Been Pwned? check whether your own e-mail address or telephone number has been discovered in a data leak. Together with an IT specialist who was involved in processing the data leak, Plusminus also provides its own "leak checker".

It could also make sense to change your passwords as a precaution, according to data protection officials.

It is unclear whether passwords were also lost in the data leak.

But this is a simple measure that can be carried out quickly and can avert major damage, says Thilo Weichert.

Reporting to the police is only advisable if misuse of personal data has actually taken place.

Those affected can also contact the state data protection officer of Baden-Württemberg directly.

The programmers noticed a huge data leak when they were troubleshooting: The company concerned reported it

The programmer Hendrik Heinle noticed the huge data leak when he was commissioned by a retailer to eliminate a problem with software from the company Modern Solution from Gelsenkirchen. Modern Solution's customers are retailers who want to offer their products on various online marketplaces. The software connects retailers to various marketplaces such as Otto or Check24 via an interface.

According to a report by golem.de, when troubleshooting, IT specialist Heinle discovered that Modern Solution grants all its customers access to the databases – including those of other retailers. This allowed all dealers to view all customer orders from other dealers. In addition, the access data required for server access was stored in plain text in the software. The software could also have been downloaded from Modern Solution's website by strangers. Thus, practically anyone would have been able to access highly sensitive user data.

Instead of thanking Hendrik Heinle for his discovery, according to golem.de, Modern Solution reported the programmer and a blogger who reported on the case for alleged "spying on data".

During a house search at Heinle's company, his work computers were also confiscated.

The IT specialist then launched a fundraising campaign to finance his court case.

American corporations are also repeatedly criticized by privacy advocates.

The Meta subsidiary Whatsapp is considered a data octopus.

With a few tips, however, the data collection by Whatsapp can be limited.* (Paul Bröker)