Klarna shuts app down after users report being logged into random accounts
Buy now, pay later (BNPL) firm Klarna has experienced a technical error which led to customers logging into the wrong accounts.
The fintech allows shoppers to pay later for items bought online. It raised a mammoth $1 billion in equity funding in March.
Users began reporting issues with their app on Thursday morning, posting screenshots showing they were able to see the balances and account details of other users.
One wrote on Twitter: “Klarna has a major security issue on their hands this morning! Each sign in is a different person’s details”.
Another added: “I can see all the information [another user] provided including stored bank details, addresses, phone numbers, purchases.”
A statement on the Klarna website reads: “We are currently experiencing system disturbances caused by a technical error.
“We apologise for any inconvenience this is causing. Whilst we are addressing the issue, customers are unable to log into the app.”
FinTech Futures contacted Klarna for more information on the breach, but received an identical statement to the above.
News of the glitch arrives just hours after reports surfaced that Klarna is planning a new funding round which could lift its valuation to $40 billion.
The rumoured deal, reported by Business Insider, could be worth around $500 million. BI sources indicate that the deal is set to close soon.
Klarna CEO, Sebastian Siemiatkowski, reacted with dismay to the problems.
“So sad and frustrating to realize that we have had a self-inflicted incident, for 30 min, affecting the privacy of some of our users,” he writes on Twitter.
“Full attention from all colleagues to bring back things to normal, take actions to avoid this going forward and communicate broadly. More to come.”
He later added on a company blog post that 90,000 of its users were affected by the glitch.
“The bug led to random user data being exposed to the wrong user when accessing our user interfaces.
“It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible).”
Siemiatkowski stresses that the data available to users was not sensitive, and thus not a direct violation of the EU’s General Data Protection Regulation (GDPR).
In the UK, if firms believe a data breach poses a risk to someone’s personal data, they must report it to the Information Commissioners Office (ICO).
In Klarna’s home country of Sweden, it falls under the remit of the Swedish Authority for Privacy Protection. There, companies are required to report a data breach within 72 hours of becoming aware of it, with an extended reporting period of four weeks for supplementary information.
Siemiatkowski says human error caused the bug and it was “not an external breach of our systems”.
He adds: “Unfortunately, an inadequate risk assessment of a subsystem allowed for a handling error to be introduced into our live systems.”
Klarna claims to have 90 million users in 17 countries, and has partnership deals with more than 250,000 retailers.