Klarna encountered serious data breach which compromised some user information

„The inccident caused by human error within Klarna, impacted 0,1% of our users – which is 0,1% too many,” the company recognised. „Buy Now Pay Later” giant was forced to temporarily shut down its app on May 27. It’s unknown if the breach has affected just the UK.

The Klarna’s UK website states: “We are currently experiencing system disturbances caused by a technical error…We apologise for any inconvenience this is causing. Whilst we are addressing the issue, customers are unable to log into the app.”

Sebastian Siemiatkowski, Klarna’s CEO, expressed his disappointment in an official statement: „… we are sad and frustrated to inform you of a self-inflicted incident, that for 31 min affected not more than 9,500 of our app users„.

Not a hack

Klarna reassured users on Twitter that it had not suffered a hack or an external attack, and blamed an internal fault.

„It is concluded that a human error caused the bug, and it was not an external breach of our systems. Despite following our set release process, we could still deploy a bug into our systems. This deems our release process to require reviewing and improvement to prevent errors like these in the future,” Siemiatkowski said.

The CEO of Klarna explains:

„The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible).

At 11:04 am CET this morning (May 27), we discovered that an update introduced 15 min earlier had led to an error affecting our app users. Our payment services, the Klarna Card, the merchant checkouts, and the merchant’s user interfaces, were completely unaffected by this. At 11.20.42 am CET the error was deemed to be contained and fixed.”

Quick timeline and forward going actions

. 10:49 am CET: Bug introduced

. 11:20 am CET: User interfaces shut down to avoid any further issues

. Since then we have identified the root cause, started communications efforts, rolled back the bug, prepared to take the systems live again, and informed appropriate authorities.

. Now work will continue: 1) to analyze and understand exactly which consumers have been affected and how; 2) to analyze and understand exactly how the risk assessment of the specific systems was invalid, to implement appropriate actions to avoid this and similar incidents going forward.

.