Mail order company: Otto displayed orders from other customers

Whenever a reader opened or updated the app of the mail order company Otto, he saw orders from other customers. In addition to the goods ordered and the delivery time, he was also shown the delivery address and payment method. When asked by, the mail order company confirmed the malfunction. This occurred during a software update in the shop on August 5th.

Job market

  1. University Medicine of the Johannes Gutenberg University Mainz, Mainz
  2. Web Computing GmbH, M├╝nster

The software update resulted in the order data of other customers being displayed in the customer account on the website or in the app. “It was not possible to manipulate this data, such as canceling or changing the order. Passwords, customer numbers, bank or birth data were not affected and could not be viewed”, stressed Frank Surholt, press spokesman for the mail order company, and added: “Such a mistake must not happen”.

Otto reversed the update after 25 minutes. In the meantime, the bug has been fixed, said the press spokesman. “According to current knowledge, several hundred customers were affected”, says Surholt. Otto reported the incident to the responsible authorities on August 6th. It is not known whether the affected customers were also informed, whose names and addresses including the goods ordered were visible to third parties. An answer to a corresponding request is still pending.

Such data leaks are notifiable according to the General Data Protection Regulation (GDPR). In the first year and a half of its existence alone, a law firm counted 160,000 reported GDPR violations, 37,636 of them in Germany. In some cases, the companies faced heavy fines. Most recently, the health insurance company AOK Baden-W├╝rttemberg had to pay a million-dollar fine because it used the personal data of competition participants for advertising purposes without them having given their consent.

Please activate Javascript.

Or take advantage of that Golem pure offer

and read

  • without advertisement
  • with Javascript turned off
  • with RSS full text feed