The details of around 150,000 customers of the German chemist chain Schlecker have been exposed.
According to a report by The Local, the mistake was the fault of an external service provider, which has since been fixed and the data is no longer available online. The data was online customer details and included first and second names, addresses, genders, email addresses and customer profiles, with a further 7.1 million email addresses of customers receiving the firm's newsletter also available.
A spokesperson for Schlecker said that account numbers and passwords were never vulnerable.
Tobias Huch, an information protection specialist who discovered the data online, said: “We stumbled on this data breach by accident. Then we realised: this is no data leak, this is a wide-open door. They (cyber criminals) would write to the customers in the name of Schlecker – directly over the publicly available mail server. The customer would trust the correspondent, thinking, ‘Yes, it's Schlecker'. They would make purchases and hand over their bank details.”
On Friday Schlecker offered its online customers a voucher to the value of five euros via email, a company spokesman confirmed. It states that it is not a compensation payment but 'a general goodwill gesture'.
A spokesman for the firm confirmed media reports that the personal data of online customers had for an unspecified time found their way onto the internet and were available to any web user.
Identity theft expert Robert Siciliano said: “Even if you are protecting your PC and keeping your critical security patches and anti-virus definitions updated, there is always a chance that your bank or credit card company may get hacked. I've received three letters accompanied by three replacement cards from my credit card companies over the last few years.
“Beyond that, if someone else's database is hacked and your Social Security number is compromised, you may never know about it unless they send you a letter or if you discover that someone has opened new accounts in your name.
“However, I wouldn't wait for your information to be hacked and a letter to come in the mail before you take responsibility for protecting yourself. Don't waste time by only handling identity theft reactively. Do something about it now.”