Klarna plays down data breach amid customer backlash
Klarna has issued a statement that attempts to explain why Klarna customers logging into their accounts yesterday morning were not shown their own accounts, but the accounts of random other Klarna customers.
According to Klarna, yesterday’s technical issue lasted 31 minutes and affected a maximum of 9,500 customers. It says only ‘obfuscated’ – unclear, or unintelligible – bank card data was displayed.
However, Klarna customers were able to see the names, addresses, phone numbers, and purchase histories of numerous other borrowers, suggesting the data breach was more serious than Klarna was admitting.
A statement from Klarna said: “The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). Even though GDPR would classify the information visible as ‘non-sensitive’, for Klarna all data is important. We are taking this incident very seriously and we will work tirelessly to regain the affected consumers’ trust.”
Several Klarna customers have taken to Twitter to question whether the customer data displayed was ‘non-sensitive’.
One Tweeted: “I could see phone numbers, purchases, home address, partial card details etc of multiple people. This doesn’t count as a breach of GDPR? Outrageous.”
Another Klarna customer Tweeted: “ ‘Not showing any data containing card or bank details’ well, I was able to see the credit card details of several persons as well as mobile-phone numbers”.
The @AskKlana Twitter account stated: “Some users, in some cases, have been able to see personal data of other users. But it’s important to underline that no card or bank details were disclosed at any time.”
But one customer replied to this statement saying: “That’s a lie, I was able to see the saved cards on the accounts you kept logging me into, along with their full names, addresses, mobile numbers. I screenshot and sent this to you via live chat thinking my account had been hacked and someone had changed my details.”
Klarna says the issue was discovered at 11.04am yesterday after an update introduced 15 minutes earlier led to an error affecting Klarna’s app users. It says payment services, the Klarna Card, merchant checkouts and merchants’ user interfaces were unaffected by the issue. Klarna claims the problem was fixed by 11.20am and blamed it on ‘human error’ rather than an external breach.
Klarna is a BNPL lender which allows borrowers to pay for goods, often of relatively low value, in instalments, or pay the whole balance at a later date. It has been criticised for tempting young shoppers into debt.
James Andrews, personal finance expert at Money.co.uk, said: “The Klarna malfunction has left some customers seriously worried after appearing to be able to access other people’s accounts. Klarna has done the right thing in putting security measures in place while it resolves the situation, but not being able to access your account must be very frustrating if you are worried about your personal details being stolen or have a payment due.
“There is also the worry that if any personal details have been stolen as a result of the glitch, they might not be used right away. Generally, if you hear about a breach involving an institution you do business with, contact the organisation in question to check whether there’s any risk your data has been leaked.
“You can visit the organisation’s website to see if there is a statement about the breach with any instructions about what to do next, or you can call the company’s customer service phone number for a more immediate response.
“As a rule, you should also routinely monitor all of your accounts for suspicious activity, including any transactions you may not remember making. While the Klarna app is down, users can’t check their accounts, but it’s always better to be safe than sorry when it comes to financial matters, so it’s wise to keep a close eye on any connected bank accounts during the next few days.”