Enlarge image
Online shopping at Otto: »Taken as an opportunity to question the entire process«
Photo: imago images / Eibner
The data of customers who buy from smaller retailers on large online marketplaces such as Kaufland, Otto, Check24 or Idealo has exposed a security gap. According to SPIEGEL information, around 700,000 end customers are affected by the data leak. They have been able to view transactions since the summer of 2018: who bought what from which retailer, including their address, and in several thousand cases even the associated bank details.
The incident caused horror in affected marketplaces. An Otto spokesman said it was "used as an opportunity to question the entire process" and possibly to revise it. The dealers' access to the marketplace has been completely blocked. Check24 reacted in a similar way. In the case of the affected shopping offers, alias e-mails are generally used for ordering customers; the real e-mail data would not be passed on to the retailers, nor were bank details, said a company spokeswoman. This is how customer information should be protected. Kaufland, on the other hand, emphasizes only passing on customer emails and addresses when placing an order.
The problem for the online platforms: The data leak occurred at a service provider through which retailers can be connected to the interfaces of the marketplaces on the web. Such companies are a kind of technical intermediary between traders and online trading platforms. Therefore, only the dealers have a contractual relationship with these companies, not the marketplaces themselves. The platforms require dealers to take care of the security of their data. But nothing more. When an order is placed, the dealers are direct contractual partners of the customers and are therefore responsible for protecting customer data, according to Kaufland. You want to protect customer data, says the Otto spokesman. "Such an incident, caused by a third party with whom we have no contractual relationship, is then very damaging."
Several dozen such interface service providers cavorted in the market, it is said.
They help dealers who do not want or cannot connect themselves directly to the platforms, and thereby link the interfaces of the platforms with the respective merchandise management systems of the dealers who want to sell their goods via the online marketplaces.
The data leak that has now emerged shows how carelessly customer data is sometimes handled.
Last week, when an IT specialist was commissioned by a retailer to solve a technical problem with the connection to its interface service provider Modern Solution, he came across the gaping security gaps.
Access data stored without any problems
Modern Solution therefore granted its customers direct access to its server and several databases stored there. The company from Gelsenkirchen had also stored easily readable access data for this server in their software, which every retailer had to install on their own, and this applied equally to all customers. The result: A Modern Solution customer was able to view the databases of all other customers and the transactions of their end customers on the service provider's server. All this information was thus practically open to the IT specialist.
“You have to imagine that there is a program that aggregates all data from all dealers and their marketplaces.
And then they had stored the password for their databases in plain text and without encryption, and on top of that, they hadn't deleted customer data on the server for years, «says the IT specialist, head of a service provider for online retailers.
The software with the dealer access data at Modern Solution, in turn, could theoretically have been found using a Google search, because there was a free download link for the corresponding file.
The modern solution server, in turn, could find automated search programs.
It is unclear whether anyone ever took advantage of this.
Modern Solution wrote in its first statement to its customers that this was "currently not known".
The virtually non-existent separation also meant that if a retailer had been hacked, it would have become a security risk for all of the service provider's other customers.
"We found that the system was still unsafe"
The IT expert warned anonymously after his discovery of Modern Solution in an e-mail: He was shocked to discover "that the access data transmitted lead to several databases on your servers."
The databases contained "sensitive user-related data".
Further customer data could be read from other tables.
He also turned to Mark Steier, the operator of the website wortfilter.de, which specializes in online trading.
Steier published a first article on the case on June 23, followed by several more, also because Modern Solution's first, hasty repair attempts were apparently unsuitable.
This is also confirmed by statements from Otto.
Immediately after the incident became known, all the dealers' passwords were reset, says the company spokesman.
"When Modern Solution pretended to have fixed the security gap, we found that the system was still insecure." As a result, the accesses were then completely blocked and a connection to the shop for dealers was only possible directly.
The dealers have been informed about this.
The Modern Solution website has been replaced for days by a "live ticker" in which the company documents its renovation work.
She has not yet answered questions from SPIEGEL.
The process is also problematic for retailers because they are increasingly looking to online marketplaces in order to make themselves more independent of the increasingly difficult business with branches.
The large sales platforms help the many small and medium-sized dealers in particular to acquire new customers relatively quickly and easily.
In the corona crisis, in which many shops were closed, the online platforms sometimes mutated into the only strong source of sales for some retailers.
The influx to the marketplaces is correspondingly large.
However, some marketplaces do not feel they have an obligation to become more involved in protecting data. After all, there is the obligation of the retailer to adhere to data protection, according to an affected platform.