Global News
Jun 4, 202117 min lästid

27th May Incident report.

Klarna

av Klarna

On May 27, 2021, Klarna’s app users experienced an incident caused by a faulty configuration change in our app. During a time period of 31 minutes between when the change was introduced and disabling access to our app, some app users saw a subset of their information exposed to other app users. We take the protection of our users’ personal information very seriously and sincerely regret that this incident ever occurred and that we failed to live up to our high standards for privacy.

When mistakes happen and our promises to our customers are broken, it is essential for us to work tirelessly to regain the trust of our customers. As part of our commitment to transparency and openness, we want to publish a full summary of what happened, the implications, a Q&A, and links to further details. If you have questions regarding the incident, you are also more than welcome to contact our customer service.

Important to note:

  • The incident only affected the information displayed. No changes, updates or payments could be made by a user on another user’s account¹.
  • No card details or account details were exposed since they were obfuscated (masked).
  • The numbers presented here represent the upper limits of the potentially impacted users. We are currently working on further analyses to identify the exact number of affected users.

Overview of the incident

Background:

The issue only affected users of the Klarna app (iOS and Android) NOT our web-based access. The Klarna app has a number of different sections that present different sorts of information sets from a user’s profile. In Figure 1 below, there are examples of such sections, labelled A, B, C. In each one of them, marked with red is the information set that stems from a specific user’s account.

  • In section A, “Jane” is a set of information from that user profile.
  • In section B, the carbon footprint in kg, the carbon footprint per month, and the highest emission purchases are information sets from that user profile.
  • In section C, the purchase details are a set of information from that user profile.

Figure 1

Figure 1

To clarify the impact the issue had on different app users, we have split them into two groups, each with two subgroups.

 

Group 1.

Group 1 consists of users who were accessing different sections of the app during the time of the incident. Due to the nature of the issue, the information sets presented to the users in Group 1 were stemming from multiple other users. Group 1 is then divided in:

  • Group 1a, consists of users who were displayed non-identifiable information from Group 2a.
  • Group 1b, consists of users who were displayed identifiable information from Group 2b.

A common scenario for Group 1 can best be described with an example. First, the users access section A in Figure 1, in which a particular user’s information set was displayed. They then accessed section B where another user’s information set was displayed, and then section C, where yet another user’s information was displayed. Also, often when a section was refreshed, yet another user’s information would be displayed in the same section. Another common scenario was that users incorrectly assumed that all the information they saw in different sections all belonged to a particular user and they had access to another user’s complete information set. In fact, the information shown was a mix of information from multiple users and no single user’s complete information set was compromised.

Group 1a consists of 79,000 Klarna users.
Group 1b consists of 11,000 Klarna users.

Group 2

Users in Group 2, were users whose information was displayed to the Group 1 users when Group 1 users were accessing the Klarna app. Group 2 is further divided in:

  • Group 2a, consists of users who had non-identifiable information shown to Group 1 users. This was information that can not be tied to a specific user.
  • Group 2b, consists of users who had identifiable information shown to Group 1 users. This was information that can be tied to a specific user.

Group 2a

A common scenario for Group 2a, was that a user in Group 1, accessed a section, for example, section C figure 1, of the app, displaying a random Group 2a user’s specific information set. For example, a user might see the carbon footprint or a list of transactions, as you can see in section B and C in figure 1. The information displayed was non-identifiable, since there is no reference to which user the information belongs to in that specific section.

Group 2a consists of 68,000 Klarna users.

Group 2b

In some of the sections of the app, there is information that by the nature of that information, can be tied to a specific user. Examples of two such sections can be seen below in figure 2. In those scenarios, Group 1 users would see identifiable information belonging to a Group 2b user. No card details or bank account details were exposed.

Group 2b consists of 15,000 Klarna users.

Figure 2

Q & A

Questions about the specifics of the incident 

What caused the incident?

During an update of the Klarna app, at 10:49 CEST on Thursday May 27, a human error caused information to be temporarily stored (cached) in the service in an unintended way. A few minutes after the update we got reports of an issue in the app, and a few minutes later we understood that app users may have been seeing a mix of other users’ information. At this time, the cause of the incident was not identified but we started to disable the parts of the app where issues had been reported.

Multiple teams started to work diligently on the issue and reviewed all available information to identify the cause. 31 minutes (11:20 CEST) after the update had been taken live, all access to the Klarna app and the web version of the app was disabled.

For in-depth technical details, see our Root Cause Analysis document.

Were there no safety protocols in place to avoid this?

Yes, there were. Unfortunately, they did not prevent the incident. There are multiple safety protocols in place in Klarna. For example, all changes made to Klarna systems go through extensive testing protocols, code reviews etc. In this specific case, the change that included the error code was reviewed by multiple engineers and testing was performed on the full update without detecting the error.

For in-depth technical details, see our Root Cause Analysis document.

Was this incident the result of a security breach?

No. It has been confirmed that the cause was a human error by a set of Klarna employees. We have verified in logs, monitoring data, etc that there was no unusual or suspicious activity during the incident.

What parts of Klarna’s services were affected?

Only the app, and only users actively using the app at the time of the incident, were affected. Web access for our end users was shut down during the incident as a precaution. All other Klarna systems including all our payment and merchant services were unaffected.

Why was app access shut down?

Given the severity of the incident, shutting down the Klarna app was deemed necessary to protect our users. The app remained disabled while we investigated the impact and scope of the incident. During this time our main priorities, before getting the app back online, were to:

  • Get a complete understanding of what had happened
  • Mitigate the cause of the incident
  • Identify what information could have been exposed to other users
  • Prevent any additional information from being exposed amongst users

The app was gradually re-enabled starting 16:08 CEST and fully live at 17:35 CEST.

Shutting down the app is not a decision we take lightly. We have a responsibility towards our millions of daily users for which our app plays an important role in managing their day-to-day personal finances, including paying for purchases. Therefore, we made sure that all users with payment(s) due on May 27 were given an additional day to complete their payment.

What was the timeline of the incident?

All times CEST

  • 2021-05-27 10:49 We deployed the problematic configuration update
  • 2021-05-27 10:58 We began to investigate multiple issues based on incoming user reports
  • 2021-05-27 11:01 We identified the situation as extremely serious, raised it as a critical incident and escalated it to senior management
  • 2021-05-27 11:15-11:20 We disabled app features known to be affected by the incident to prevent further information leaks
  • 2021-05-27 11:18 We identified the configuration update as the probable root cause and reverted the update
  • 2021-05-27 11:20 We completely disabled the app in all markets
  • 2021-05-27 16:08 We began to bring the app back online in all markets
  • 2021-05-27 17:35 The app was fully online again in all markets

What is being done to prevent this from happening again?

We have made updates to our development processes and our monitoring, and have identified and started working on a number of additional improvements to prevent recurrence and mitigate the impact of similar incidents.

For in-depth technical details, see the Remediations section in the Root Cause Analysis document.

What countries were affected?

The incident affected all countries where the Klarna app is available, i.e. Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Italy, New Zealand, the Netherlands, Norway, Spain, Sweden, United States and the United Kingdom. However, due to the time of the day, the majority of affected users were in the EU and UK.

Klarna has stated that it was a human error that caused the incident. Are you saying it was a single individual’s responsibility? Is it not the whole organization’s responsibility?  Should your systems not be designed so a single human error cannot have these consequences?

The responsibility of protecting our consumers’ privacy lies with the whole organization. The reference to a human error is only there as part of trying to describe the chain of events that led to the incident. In accordance with industry best practises Klarna’s systems are designed to prevent human errors from impacting our system, It is however impossible to entirely rule out human errors. In this specific issue the Klarna systems and processes provided insufficient protection for human error. The group of engineers that made and reviewed the change followed established procedure.

Why has the report on the incident been delayed?

When reporting on the incident we have been balancing getting information out there fast with getting accurate information out. This incident is quite complex in nature and unfortunately, the analysis and assessment have taken longer than we had originally hoped for.

Questions about the impact on consumers

You state that identifiable information was displayed, what exact information was displayed?

Name, address, email address, date of birth and phone number.

Was any user able to log in to another user’s account?

No. During the incident, some users were able to see some information belonging to other users. At no time was any user able to access another user’s account.

Please read the full description of the impact on users in the previous section of this blog post.

How can I know if I was affected?

The only users that may have been affected were the ones logged into and actively using the app during the time of the incident, i.e between 10:49 am and 11:20 am CEST on May 27, 2021.

Will you inform those affected?

We are currently working on analyses to identify the affected users, assuming we are able to conclusively identify the affected users we will inform them.

How does this affect the trust in Klarna?

Naturally, any incident affecting consumers’ privacy will impact the trust in Klarna from consumers, merchants and society in general.  But trust is also affected by how one acts when things go wrong, how transparent we are, the learnings and actions we take. We are dedicated to showing our customers that we deserve their trust.

How is Klarna handling customers who were unable to make their payments, due to the app being unavailable?

All customers with payments due on May 27 were given more time to complete their payment.

Have people been able to change other users’ accounts or shop in other people’s names or accounts?

No. The incident only affected the information displayed. No changes, updates or payments could be done by a user on another user’s account.

Regulatory questions

Have you reported to the authorities?

Yes, Klarna has been in contact with relevant national data protection authorities in relevant countries as required by law.

Does Klarna assess that you have upheld bank secrecy throughout the incident?

We are working with relevant authorities to assess the scope and classification of the incident.

How can you say it was only “non-sensitive” data when people were sharing screenshots from bank accounts on social media?

Such reports are not entirely accurate. To understand what information was actually displayed, please read the previous section of this blog post. We have not seen any reports in social media that are inconsistent with what we describe as the impact in our blog report.

Was this a GDPR breach?

Klarna has assessed the incident and reported it in accordance with applicable laws, including the GDPR. The authorities will now assess it based on that.

Questions that may be particularly relevant for merchants

Was it possible to shop in my store in someone else’s name?

No. The incident only affected the information displayed.

What can I inform customers contacting me regarding the app incident?

We suggest you inform them that: “Klarna has confirmed that they experienced an issue in their consumer app interface on May 27. It was quickly resolved and they resumed full operations in a few hours. For more information, please visit this blog post”

How can I know if my customers were affected?

Users of Klarna have a direct customer relationship with Klarna and are protected by bank secrecy. As a consequence it is not within Klarnas remit to share information about affected customers with our merchants.

Do Klarna partners have to take any action in the form of notifications to authorities?

Klarna partners do not need to take any action as a result of this incident.

Does Klarna assume full responsibility for this incident in regards to privacy – and thus accept that no blame is on the merchants?

The incident is a direct result of a human error caused by Klarna, our merchants have no part in this and are hence not responsible.

What certifications does Klarna have (e.g. ISO 27001, ISO 27008, SOC 2 Type1/Type2 )?

Klarna is ISAE 3000 and 3402 certified.

Does Klarna have an active bug bounty program?

Yes. Note that this incident was the result of a configuration error made by Klarna employees, not a bug or a security breach.

Was this only affecting your own app or all users based on your exposed API?

The incident only affected users of the Klarna app (iOS and Android). No other Klarna products or services were affected.

Was Klarna Open Banking or Sofort affected?

No, neither Sofort GmbH nor Klarna open banking were impacted.

¹,² The exception was 8 payments on unpaid invoices that were initiated and then later reversed.