German IT Consultant Fined Thousands for Reporting Security Failing
The company, Modern Solutions, had misconfigured a cloud database, but argues the contractor could only have found the password through insider knowledge.
January 22, 2024
After discovering and reporting a vulnerability in an e-commerce database that was putting customers and their personal information at risk, a security researcher in Germany was fined €3,000 for doing so.
In 2021, a contractor, known as Hendrik H., said he was troubleshooting software for Modern Solution GmbH when he realized that password access to the remote server was stored in plain text in MSConnext.exe. This easy access would make the password simple for many to find, and a threat actor could access data to everything stored on the database server, including customer information.
In response, Modern Solution released a statement saying, "We currently do not know to what extent this data was passed on or further used by the 'ethical hacker', and whether further access occurred. We are working intensively to investigate the incident."
The statement claimed that a limited amount of data was exposed, though some argue that it was much more than this. Mark Steier, who wrote about the contractor's initial findings for Wortfilter.de, argued that the vulnerability in Modern Solution was much more serious than the company was conveying it to be.
In September 2023, Hendrik H. was charged with unlawful access according to Germany's Criminal Code, after Modern Solutions made the complaint that he was a competitor who obtained the password through insider knowledge.
The Jülich District Court initially sided with Hendrik H. in June 2023, on the basis that Modern Solution software did not have sufficient protection for the database. However, the case was appealed to the Aachen regional court, after which the district court reversed its decision on Jan. 17, leaving Hendrik H. to be fined and in charge of paying court costs.
Hendrik H. reportedly intends to appeal this decision.
About the Author
You May Also Like
How to Evaluate Hybrid-Cloud Network Policies and Enhance Security
September 18, 2024DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations
September 26, 2024Harnessing the Power of Automation to Boost Enterprise Cybersecurity
October 3, 202410 Emerging Vulnerabilities Every Enterprise Should Know
October 30, 2024
State of AI in Cybersecurity: Beyond the Hype
October 30, 2024[Virtual Event] The Essential Guide to Cloud Management
October 17, 2024Black Hat Europe - December 9-12 - Learn More
December 10, 2024SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
October 22, 2024