German IT Consultant Fined Thousands for Reporting Security Failing
The company, Modern Solutions, had misconfigured a cloud database, but argues the contractor could only have found the password through insider knowledge.
January 22, 2024
After discovering and reporting a vulnerability in an e-commerce database that was putting customers and their personal information at risk, a security researcher in Germany was fined €3,000 for doing so.
In 2021, a contractor, known as Hendrik H., said he was troubleshooting software for Modern Solution GmbH when he realized that password access to the remote server was stored in plain text in MSConnext.exe. This easy access would make the password simple for many to find, and a threat actor could access data to everything stored on the database server, including customer information.
In response, Modern Solution released a statement saying, "We currently do not know to what extent this data was passed on or further used by the 'ethical hacker', and whether further access occurred. We are working intensively to investigate the incident."
The statement claimed that a limited amount of data was exposed, though some argue that it was much more than this. Mark Steier, who wrote about the contractor's initial findings for Wortfilter.de, argued that the vulnerability in Modern Solution was much more serious than the company was conveying it to be.
In September 2023, Hendrik H. was charged with unlawful access according to Germany's Criminal Code, after Modern Solutions made the complaint that he was a competitor who obtained the password through insider knowledge.
The Jülich District Court initially sided with Hendrik H. in June 2023, on the basis that Modern Solution software did not have sufficient protection for the database. However, the case was appealed to the Aachen regional court, after which the district court reversed its decision on Jan. 17, leaving Hendrik H. to be fined and in charge of paying court costs.
Hendrik H. reportedly intends to appeal this decision.
About the Author(s)
You May Also Like
Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024Extending Access Management: Securing Access for all Identities, Devices, and Applications
June 4, 2024Assessing Software Supply Chain Risk
June 6, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024