Klarna is offered through retailers like Walmart, Macy’s, and Wayfair, which collectively process payments from more than 150 million customers each week.
NurPhoto via Getty Images
The “Buy Now, Pay Later” provider Klarna, whose share price has fallen 19% since its IPO seven weeks ago, is facing scrutiny over a new and significant customer data issue, which, at the time of writing, has yet to be resolved just as millions of shoppers begin planning their major holiday purchases.
An error in its credit application form exposes what appears to be sensitive personal information belonging to other customers. The leak has been confirmed by a Klarna spokesperson, who declined to disclose the extent of the problem.
In the U.S. alone, Klarna is offered through retailers like Walmart, Macy’s, and Wayfair, which collectively process payments from more than 150 million customers each week. The question now is whether these retail partners will continue to rely on Klarna amid concerns about consumer trust and lost sales.
Exposed User Data
The issue came to light when a customer, considering an installment plan through Klarna’s online checkout this past weekend, noticed that several pages of their application form had been pre-filled with details apparently belonging to another user. The customer decided not to proceed with the application, fearing their own details could be visible to others.
I have seen the unmasked versions of all pages shared by the prospective customer and can verify their authenticity. To protect the potential victim, identifying details have been redacted for this publication in the example below. Each page appeared to contain personal information tied to an individual: first name, last name, date of birth, address, ZIP code, city, and state – raising questions about how Klarna handles sensitive data.
One of several screenshots showing pre-filled personal details that appear to belong to someone other than the user.
Christer Holloman
Klarna Responds, Denies System-Wide Issue
A Klarna spokesperson provided this official statement to me on Tuesday, November 4:
“We’ve been made aware of this case and have investigated it thoroughly. The issue is linked to a rare scenario that we are actively addressing, and we’ve taken steps to further strengthen our safeguards. We can confirm that this is not the result of a system-wide issue or a customer data breach”
The company offered no further technical details on the root cause of this “rare scenario” and did not comment on how many users were affected, so one can only speculate.
A Troubling Pattern of “Rare Scenarios”
In an eerily similar incident back in February 2020, users reported that by entering only an email address and a zip code, forms would automatically populate with other users’ data. The exposed information included addresses, dates of birth, and telephone numbers. That global vulnerability allowed any third party with two easily obtainable data points to harvest sensitive personally identifiable information.
More recently, in December 2024, Klarna was fined $50 million in its native Sweden for systemic failures in its anti-money laundering (AML) controls. This followed a March 2022 fine of $800,000 for violating European privacy law. These compliance failures compound the damage from its 2021 data breach, which randomly exposed live account data of up to 9,500 users, another incident bearing similarities to the current case.
A 2021 data breach randomly exposed live account data of up to 9,500 users.
Christer Holloman
Risks Mount for “Buy Now, Pay Later” Giant
Despite Klarna’s characterization, security experts typically define any unauthorized exposure of sensitive, non-public data, even if unintentional, as a leak or breach, regardless of whether it stems from human error, a technical glitch, or a malicious attack. The incident raises serious questions about Klarna’s internal controls.
The BNPL sector, including players such as Klarna, Afterpay, and Affirm, has grown rapidly by offering shoppers instant, point-of-sale credit. This business model relies entirely on consumer trust and the secure handling of vast amounts of sensitive financial and personal data. The exposure of personally identifiable information provides criminals with key components to commit identity theft or fraud.
For investors, the timing of the incident could hardly be worse. With Klarna still under close scrutiny from regulators and fresh off a disappointing market debut, another data controversy threatens to erode confidence in its governance. As holiday transaction volumes surge, both investors and watchdogs will be watching closely to see whether Klarna’s assurances are matched by transparent action or if further regulatory intervention will be required to restore trust, a development that could reshape the economics of the entire industry.
Follow Holloman to learn more about the future finance and technology.