Data leak: complaint against IT experts came from Modern Solution

The company Modern Solutions reported to the IT experts who had uncovered a potential risk to the data of hundreds of thousands of customers by the company’s software. This emerges from the investigation files that heise was able to see online. In response to the complaint, the police carried out a search of the programmer’s house and confiscated numerous devices. Modern Solutions has also filed a complaint against a blogger who reported on it.

The programmer is being investigated for, among other things, spying on data, stealing data and violating the Federal Data Protection Act. According to the investigation, Modern Solutions told the police that the programmer could only gain access to the company’s systems with insider knowledge. However, the justification for this assumption is technically unconvincing.

For several years, the personal data of around 700,000 customers from various online retailers could be accessed largely unsecured on the Modern Solution systems. These customers had bought from smaller retailers who had offered their products on the marketplaces of large online retailers such as Otto, Kaufland or Check24 using Modern Solution software

After the independent programmer made the data leak public in June, his living and work rooms were searched on September 15, and all of his work equipment – a PC, five laptops, a mobile phone and five external storage media – was confiscated. The devices are still in the custody of the police. As far as is publicly known, the huge data leak has so far had no legal consequences for Modern Solution.

The display and the subsequent search, it can now be said with certainty, was initiated by Modern Solution as a direct reaction to the publication of the data leak. So far this has been a mere guess. The company explains that the programmer was only able to access the data with inside knowledge and that it is also a competitor.

According to the investigation file, leading employees of Modern Solution told the police that the programmer had previously worked for the JTL company in Hückelhoven. JTL produces the merchandise management systems with which the software from Modern Solution connects on the retailer’s side. The programmer’s employment at JTL was terminated after a conflict. The accused confirmed his employment with JTL opposite heise online and did not deny that he had “problems” during his time in the company.

According to its own information, Modern Solution specializes in setting up and hosting these so-called WaWi systems from JTL. Representatives of Modern Solution reported to the police that the programmer had managed to get the password with which he had access to the data at Modern Solution through the insider knowledge he had acquired at JTL.

In June, while troubleshooting for a Modern Solution customer, the IT expert discovered that the data exchange between the Modern Solution software was via a plain text SQL connection and that the access data was firmly anchored in the software. As a result, anyone who could get a copy of the software, which was in principle freely available, had access to the data of all customers whose purchases were processed using Modern Solution systems. He has exactly how that worked Blogger Mark Steier documented in a post from June 23rd.

Modern Solution has never publicly denied this representation. However, high-ranking employees of the Gelsenkirchen company argued to the police that the programmer could only have access to this password because he had previously worked for JTL. In addition, according to the file, the company takes the position that the compilation of the software is an effective protection against attacks such as the reading of password strings. If this interpretation is followed, the overcoming of this alleged protective measure could result in criminal liability.

Experts, on the other hand, doubt that the translation of source code represents an effective protection of passwords or the like. In the course of the research, heise online succeeded, for example, in reading password-like strings from software from Modern Solution, which is free to download from the Internet, using common tools. The prevailing legal opinion also seems to contradict the interpretation of Modern Solution. For example, the European Court of Justice (ECJ) has only just decided that reverse engineering is allowed for error correction. And it was precisely for this reason that the programmer looked at the software and decompiled parts of it.

Modern Solution told the police that the programmer wanted to appear as a competitor to the company – which he did not deny online – and was therefore trying to harm the company. The programmer rejects this. He wanted to disclose the security gap and the data leak as soon as possible in order to protect the customers.

According to the police’s search log, he cooperated with the officers and even gave them the passwords for his devices and encrypted data. According to our information, in the nearly three months that elapsed between the disclosure of the breach and the search, he did not delete any data pertaining to the case – as a malicious attacker would have done immediately.

The responsible public prosecutor’s office in Cologne did not want to provide any details to heise online on repeated request. This also leaves the question unanswered as to why several months passed between the publication of the vulnerability and the search. The investigation files are marked several times with the comment “Hurry!” read, among other things on a copy from the beginning of August.

Modern Solution does not want to comment on request. “As a company, we have decided not to answer inquiries that concern an ongoing investigation,” the company explained to heise online. “We are currently writing our own statement and we still need some time for this. We are not interested in further heating up the current situation.” This statement has not yet been published.


To home page