Gorillas bicycle courier: The service has admitted a data breach
Photo: Arnulf Hettrich / imago images
According to the company, there has been a data leak at the food delivery service Gorillas from Berlin.
"There were weak points in the department store system," the company announced on Thursday upon request.
"To the best of the company's knowledge, no data was stolen or otherwise misused." First, NDR and rbb reported on it.
The security gap has now been closed again, it is said. Possibly affected customers have been notified by email. The Federal Office for Information Security (BSI) made gorillas aware of the errors, the service said. Further security deficiencies are currently not known. A spokesman initially gave no information on the exact extent.
The vulnerability was discovered and reported to the BSI by the hacker collective »Zerforschung«.
Its members assume that more than a million order details from more than 200,000 Gorillas customers were openly available on the Internet.
Including the names, addresses, telephone numbers, e-mail addresses and the order details of the customers.
The collective also found photos in an unsecured cloud storage that gorillas couriers had taken of the doorbell signs of some customers.
Gorillas recently raised € 244 million in capital.
The valuation of the company exceeded one billion dollars.
"Unicorn" is then called something.
In his analysis, however, »Zerforschung« speaks of »unicorn slices«.
The hackers also discovered security gaps in the Hamburg delivery service Bringoo.
The data of 3,000 customers were thus accessible, which Bringoo confirmed at the request of NDR and rbb.
But it was not the first such case: In March, "Zerforschung" discovered a vulnerability in the app of the online supermarket Flink.
Unauthorized persons could have called up the names, addresses, telephone numbers, e-mail addresses and the last four digits of the credit cards used by customers.
Start-ups disregard "basic IT security measures"
"Such gaps are a general problem, but especially in this industry," the collective writes to SPIEGEL.
“We keep seeing that start-ups disregard fundamental IT security measures.” “Zerforschung” believes that it knows possible reasons for this: “IT security and data protection are not as easy to market as new app features.
In addition, especially in the early phases of a start-up, investments are made in such new features and expansion instead of in a solid software foundation.
There is often no time later to tackle these problems again. "
The hackers find it irritating that venture capitalists "don't seem to pay attention to the quality of the system": "If a product is market-ready enough to store customer data, it must also be mature enough to keep it to itself."
pbe / dpa