Marketplaces at Otto, Kaufland, Mediamarkt etc .: customer data unprotected on the web

The Tagesschau reports that the data of probably more than 700,000 customers of German online shops have been unprotected on the Internet for several years. These open data on the web – we’re talking about a million data records – are e-mail and postal addresses, order information, telephone numbers and, in some cases, even bank details, as the Tagesschau writes. The affected customers have not yet been informed.

These online marketplaces are affected

Customers of the following online marketplaces are affected by this security gap: Otto, Kaufland (formerly real), Mediamarkt, Check24, Tyre24, Idealo, Hood and Crowdfox. You should be able to use this tool to check whether you, the customer, are affected by the data leak.

Technical background:

Otto and Kaufland as well as Mediamarkt also operate marketplaces on their pages. External traders can offer their products on these marketplaces. In order for these external dealers to be able to use the large sales platforms, they have to connect their merchandise management system to the online marketplace via so-called interface service providers. The customer’s order data is processed for the retailer via these interfaces.

An interface service provider failed

According to the Tagesschau, there are around a dozen such interface service providers in Germany. At one of these interface service providers, the data was unprotected. As a result, data from customers of the above-mentioned marketplaces were unprotected on the web.

A programmer discovered the gap in the summer of 2021. Although the data leak has now been closed, the affected customers have not yet been informed, according to the Tagesschau.

Otto, Kaufland and Mediamarkt emphasize that they are not responsible for the marketplaces under data protection law. The platforms see themselves only as “intermediaries between customers and dealers”. The dealers are the direct contractual partners of the customers. Therefore, the dealers are also responsible for protecting customer data.

It is not known whether cyber gangsters are already using the data for fraud, for example for phishing attacks. This is conceivable, however, because the data leak is said to have existed for three years.

Statement from Otto

Otto sent us this statement on the data leak:

“There was no ‘data leak’ at OTTO. Rather, a ‘hack’ took place in June 2021 at a service provider (Modern Solution) that dealers used to connect to our and other platforms. The decision as to which service provider is used here rests exclusively with the dealers who cooperate with us. As a result, our partners also have a contract with this same service provider, are responsible for data protection according to Art 4 No. 7 GDPR and are obliged to inform ‘affected’ customers themselves directly. After the ‘hack’ became known, OTTO immediately blocked the service provider’s access and has not worked with this company since then. In addition, after the incident, we again drastically increased our own security requirements for such service providers and are continuously monitoring them. ”

Quote end

A spokesman for MediaMarktSaturn answered us the following:

“We at MediaMarktSaturn had no data leak and we have no contractual business relationship with the service provider mentioned in the article. The platform is not technically operated by us.

Basically: We have made extensive contractual provisions that oblige the affiliated dealers to meet all statutory data protection requirements. These third-party dealers undertake to take suitable technical and organizational measures to ensure the security of personal data in every respect. For example, the so-called API interface between our marketplace and the third-party dealer must be effectively protected against unauthorized access. This also applies to service providers who implement the connection on behalf of the retailer.

And: MediaMarkt has been operating its marketplace in a beta phase since summer 2020. In this respect, the accusation that data has been available for three years does not apply to MediaMarkt. ”

Quote end

Volks- und Raiffeisenbank: Clever attack on customers