Security News > 2024 > January > IT consultant fined for daring to expose shoddy security

A security researcher in Germany has been fined €3,000 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records.

Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor.

The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories.

Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.

In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge - he worked previously for a related firm - and the biz claimed he was a competitor.

In June, 2023, a Jülich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/19/germany_fine_security/