January 19, 2024 at 01:52AM
A German security researcher was fined €3,000 for uncovering an e-commerce database vulnerability affecting almost 700,000 customer records. The contractor, Hendrik H., discovered a plain-text password stored in a program file, providing potential access to customer data. Despite initial court support, the Jülich District Court later fined him under Germany’s cybersecurity law, prompting widespread frustration and criticism.
Key Takeaways from the Meeting Notes:
– A security researcher in Germany, identified as Hendrik H., was fined €3,000 for finding and reporting an e-commerce database vulnerability that exposed 700,000 customer records.
– Hendrik H. discovered that an IT services firm, Modern Solution GmbH, had stored a plain text password to access a MariaDB database server in their program file MSConnect.exe, resulting in unauthorized access to sensitive customer data.
– Modern Solution downplayed the seriousness of the exposed data, claiming only limited customer data was compromised, while reports alleged that extensive customer data from online stores operated by their clients was exposed.
– In response to the incident, police seized the IT consultant’s computers, and he was charged with unlawful data access under Germany’s cybersecurity law.
– A district court initially sided with the IT consultant, citing insufficient protection of Modern Solution’s software, but later reversed its decision, fining Hendrik H. and directing him to pay court costs.
– The court’s decision has raised concerns among security researchers and experts, as it may have a chilling effect on legitimate security research and allow companies to avoid accountability for inadequate security measures.
Please let me know if you need further clarification or specific details on any of the points.