The district court of Jülich has rejected a procedure requested by the Cologne public prosecutor’s office against the IT expert who discovered a security gap in the software of the company Modern Solution in 2021. The judges in Jülich stated that there was no criminal offense because the data the security expert accessed during his investigations was not effectively protected. Modern Solution had reported the programmer instead of thanking him for finding the vulnerability. Due to the ineffective protection of the software, the data of over 700,000 end customers of various online shops became publicly accessible.
Two years ago, a security researcher discovered a vulnerability in software from the German company Modern Solution from Gladbeck in the Ruhr area. The software connects the merchandise management systems of its customers with the software from online marketplaces such as Otto, Kaufland, and Check24. As a result of the security gap, the data of end customers were visible. The security researcher contacted the Modern Solution company and informed them of the vulnerability. However, Modern Solution filed a complaint against the security expert instead of rewarding him with a bug bounty.
The public prosecutor’s office in Cologne then investigated the security expert for spying on data, receiving stolen data, and violating the Federal Data Protection Act. These investigations resulted in an application for criminal proceedings for spying out data before the district court in Jülich. During a house search, the freelance programmer’s entire work equipment was confiscated.
A decision by the Jülich District Court in May 2023 states that the criminal proceedings against the security researcher have been rejected for legal reasons. The court rejected the public prosecutor’s office application, indicating that the accessed data was not sufficiently secured. Password protection was not enough to prevent unauthorized access to the data. The court added that effective data protection presupposes a requirement for measures that are objectively suitable to prevent access to the data.
Although the security researcher and the blogger informed him published the security gap very quickly, it followed the basic rules of so-called Responsible Disclosure. The company could have been given more time between disclosure and publication. After almost a year and a half, the IT expert finally got the confiscated devices back as part of the decision by the Jülich District Court. However, the public prosecutor’s office in Cologne has appealed against the judgment of the district court in Jülich.
