Drugstore Schlecker customer information exposed on web
German drugstore chain Schlecker has suffered a major online data breach, with the names, addresses and profiles of about 150,000 customers being exposed on the internet, the company announced Friday.
A spokesman for the firm confirmed media reports that the personal data of online customers had for an unspecified time found their way onto the internet and were available to any web user.
However, account numbers and passwords were never vulnerable, the spokesman said.
The mistake had not been Schlecker’s but rather had been made by an external service provider, he said. The error had since been fixed and the data no longer available online.
Daily Bild reported that the first and second names, the addresses, genders, email addresses and customer profiles were all accessible. A further 7.1 million email addresses of customers receiving the firm’s newsletter were also available, the paper reported.
Schlecker was now investigating how the breach had occurred.
“We are in close contact with our service provider,” the Schlecker spokesman said.
Data protection specialist Tobias Huch, who discovered the data online, said: “We stumbled on this data breach by accident. Then we realized: this is no data leak, this is a wide-open door.”
The information was available from any regular computer, the paper reported. It could have been used by criminals masquerading as Schlecker to defraud customers, Huch said.
“They would write to the customers in the name of Schlecker – directly over the publicly available mail server. The customer would trust the correspondent, thinking, “Yes, it’s Schlecker.” They would make purchases and hand over their bank details.”
Burkhardt Müller-Sönksen, media expert in the parliamentary group of the pro-business Free Democrats, said: “It’s a scandal that this sensitive data can be made available. That is grossly negligent, a violation of the data protection regulations.”
Comments
See Also
A spokesman for the firm confirmed media reports that the personal data of online customers had for an unspecified time found their way onto the internet and were available to any web user.
However, account numbers and passwords were never vulnerable, the spokesman said.
The mistake had not been Schlecker’s but rather had been made by an external service provider, he said. The error had since been fixed and the data no longer available online.
Daily Bild reported that the first and second names, the addresses, genders, email addresses and customer profiles were all accessible. A further 7.1 million email addresses of customers receiving the firm’s newsletter were also available, the paper reported.
Schlecker was now investigating how the breach had occurred.
“We are in close contact with our service provider,” the Schlecker spokesman said.
Data protection specialist Tobias Huch, who discovered the data online, said: “We stumbled on this data breach by accident. Then we realized: this is no data leak, this is a wide-open door.”
The information was available from any regular computer, the paper reported. It could have been used by criminals masquerading as Schlecker to defraud customers, Huch said.
“They would write to the customers in the name of Schlecker – directly over the publicly available mail server. The customer would trust the correspondent, thinking, “Yes, it’s Schlecker.” They would make purchases and hand over their bank details.”
Burkhardt Müller-Sönksen, media expert in the parliamentary group of the pro-business Free Democrats, said: “It’s a scandal that this sensitive data can be made available. That is grossly negligent, a violation of the data protection regulations.”
Join the conversation in our comments section below. Share your own views and experience and if you have a question or suggestion for our journalists then email us at [email protected].
Please keep comments civil, constructive and on topic – and make sure to read our terms of use before getting involved.
Please log in here to leave a comment.