German IT Consultant Fined Thousands for Reporting Security Failing

After discovering and reporting a vulnerability in an e-commerce database that was putting customers and their personal information at risk, a security researcher in Germany was fined €3,000 for doing so.

In 2021, a contractor, known as Hendrik H., said he was troubleshooting software for Modern Solution GmbH when he realized that password access to the remote server was stored in plain text in MSConnext.exe. This easy access would make the password simple for many to find, and a threat actor could access data to everything stored on the database server, including customer information.

In response, Modern Solution released a statement saying, "We currently do not know to what extent this data was passed on or further used by the 'ethical hacker', and whether further access occurred. We are working intensively to investigate the incident."

The statement claimed that a limited amount of data was exposed, though some argue that it was much more than this. Mark Steier, who wrote about the contractor's initial findings for Wortfilter.de, argued that the vulnerability in Modern Solution was much more serious than the company was conveying it to be.

In September 2023, Hendrik H. was charged with unlawful access according to Germany's Criminal Code, after Modern Solutions made the complaint that he was a competitor who obtained the password through insider knowledge.

The Jülich District Court initially sided with Hendrik H. in June 2023, on the basis that Modern Solution software did not have sufficient protection for the database. However, the case was appealed to the Aachen regional court, after which the district court reversed its decision on Jan. 17, leaving Hendrik H. to be fined and in charge of paying court costs.

Hendrik H. reportedly intends to appeal this decision.