windeln.de confirms data security incident
Munich, September 16, 2020: windeln.de SE ("windeln.de", "Group" or "Company"; ISIN DE000WNDL201) said in a statement:
Between June 10 and 23, 2020, some of our customers' data was temporarily lying on an unprotected server. The reason for this was a bug in maintenance work, which has now been fixed. The data is now protected again.
Only customers who have logged in to our website via the app or a browser between 24 May and 23 June 2020 are affected. The server serves as a cache that automatically deletes the data every four weeks at the latest. Therefore, unfortunately, it is currently not possible for us to understand which and how many customers are affected.
According to the current state of knowledge, there was no information on means of payment on the server – such as credit card numbers. However, among other things, there was data such as name, e-mail addresses, postal addresses, telephone numbers and the order history of affected users as well as in some cases the dates of birth and names of their children.
IT security experts outside our company had discovered the insecure spot. Whether unauthorized third parties also had access to the data is still unclear. We have launched a comprehensive investigation and are working hard to establish the facts with the help of external IT forensics.
"We very much regret this process and apologize to all affected customers. We take the protection of user data very seriously. Now it is important for us to clarify the details, to learn from the events and to avert damage to affected customers as far as possible," said the CEO of windeln.de SE, Matthias Peuckert.
The company had learned of the insecure server through a tip from the Federal Office for Information Security (BSI) and reacted immediately.
windeln.de SE will continue to provide information on the progress of its investigation.