27 May 20212 min read

Klarna comment: statement on app bug.

by Sebastian Siemiatkowski

Update: The incident is resolved.

Trust is at the very core of Klarna and banking. This is why we are sad and frustrated to inform you of a self-inflicted incident, that for 31 min affected not more than 9,500 of our app users. The bug led to random user data being exposed to the wrong user when accessing our user interfaces. It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). Even though GDPR would classify the information visible as “non-sensitive”, for Klarna all data is important. We are taking this incident very seriously and we will work tirelessly to regain the affected consumers’ trust.

At 11:04 am CET this morning, we discovered that an update introduced 15 min earlier had led to an error affecting our app users. Our payment services, the Klarna Card, the merchant checkouts, and the merchant’s user interfaces, were completely unaffected by this. At 11.20.42 am CET the error was deemed to be contained and fixed.

It is concluded that a human error caused the bug, and it was not an external breach of our systems. Despite following our set release process, we could still deploy a bug into our systems. This deems our release process to require reviewing and improvement to prevent errors like these in the future.

As the root cause was quickly identified, we immediately took appropriate actions with dedicated teams working on this as a top priority.

Quick timeline and forward going actions

  • 10:49 am CET: Bug introduced
  • 11:20 am CET: User interfaces shut down to avoid any further issues
  • Since then we have identified the root cause, started communications efforts, rolled back the bug, prepared to take the systems live again, and informed appropriate authorities.
  • Now work will continue to
    • analyze and understand exactly which consumers have been affected and how
    • analyze and understand exactly how the risk assessment of the specific systems was invalid, to implement appropriate actions to avoid this and similar incidents going forward

We are truly sorry for any inconvenience. Our customers’ trust and safety are our top priority, which makes situations like these extra important to us. If you are interested in reading more about how we handle data, please visit klarna.com and our privacy pages.

Copyright © 2005-2023 Klarna Bank AB (publ). Klarna Bank AB (publ) is authorised and regulated by the Swedish Financial Supervisory Authority. Deemed authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details of the Temporary Permissions Regime, which allows EEA-based firms to operate in the UK for a limited period while seeking full authorisation, are available on the Financial Conduct Authority’s website. Klarna Bank AB offers both regulated and unregulated products. Klarna’s Pay in 3 instalments and Pay in 30 days agreements are not regulated by the FCA. Klarna Bank AB (publ) registered and head office: Sveavägen 46, 111 34 Stockholm, Sweden. A Swedish public limited company (publikt bankaktiebolag) registered with the Swedish Companies Registration Office with organisation number: 556737-0431.