News

May 27, 2021

Klarna battles serious data breach, with reports of leaked user info

The Buy Now Pay Later giant is battling a tech error, which compromised some user information


Isabel Woodford

2 min read

Klarna acquires price comparison site Pricerunner to add features in its buy now pay later app.

Consumers have raised the alarm after user information was mistakenly leaked at Klarna, Europe’s largest private fintech.

The company, which is reportedly in the throes of closing a deal valuing it at $40bn, came under fire on Thursday after users complained they were being accidentally logged in as other people, given them access to strangers' personal information.

That included randomised postal addresses and past purchases. Partial card details were also exposed, according to one tweet.

Advertisement

Klarna responded by temporarily locking down its app services, and said a technical error was to blame.

The company, which is headquartered in Sweden, now boasts over 90m users worldwide, and saw app downloads grow at pace last year both in Europe and the US.

The reports of data leaks were a blow to the fintech darling which has scooped up increasing amounts of investor cash and is being wooed by regulators across the continent for a potential initial public offering. 

Still, the fintech isn’t the first fast-growing European startup to face data troubles. An IT collective in Germany raised alarm bells earlier this month about delivery startup Gorillas, which is reported chasing a $6bn valuation. The group found weaknesses in its data security and were able to access sensitive customer information.

Not a hack

Klarna issued a statement Thursday that stressed the incident was not an external attack.

It also initially stated that up to 90,000 app users had been affected but later reduced that number to a maximum of 9500.

The statement, penned by CEO Sebastian Siemiatkowski stated there had been a "self-inflicted incident, that for 31 min affected not more than 9,500 of [its] app users.

He added "that a human error caused the bug and it was not an external breach of [the company's] systems."

"It is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data). Even though GDPR would classify the information visible as 'non-sensitive', for Klarna all data is important. We are taking this incident very seriously and we will work tirelessly to regain the affected consumers’ trust," the statement said.

A spokeswoman for the company also clarified that the data was "was not actionable upon", from a regulatory perspective.

It's unknown if the breach affected just the UK.

This article was updated on Friday, 28 May to reflect a revised number of users affected and to include a statement from a Klarna spokeswoman.