Privacy blunder: Xero user sees other people's PayPal transactions

Image / 123rf

Online payment platform PayPal appears to have made a major privacy gaffe with its automated feed to Xero users.

Ben Kepes took to Twitter this morning after other people's PayPal transactions appeared in his Xero bank reconciliation window.

The entrepreneur and tech commentator subsequently sent the Herald two screengrabs to prove his point.

Oh my. The @PayPal bank recon window within my @Xero is full of other people's transactions. Not sure what happened but this is a big #privacy #security screwup / @NZPrivacy

— Ben Kepes (@benkepes) August 4, 2021

They show email addresses and transaction details from a dozen seemingly random users. One bought a guitar, another took a Lyft ride. All appeared to be offshore.

Kepes immediately alerted Xero support, but he told the Herald that the Kiwi online accounting software company is probably not to blame.

"This is highly likely to be a PayPal screwup. As such, Xero is likely an innocent party and impacted by their partner's issue," Kepes said.

"It is a cautionary tale about our increasingly connected and cloud-integrated world, however."

Kepes will be better-placed than most to grapple with that challenge. Earlier this month, he was appointed a director of state-owned enterprise Kordia, which has recently been on a drive to expand its privacy and security services.

Xero has around 2.8 million users worldwide, including 446,000 in New Zealand.

But a spokeswoman for the company said early indications were that it was not a system-wide glitch.

"We are conducting a detailed investigation and at this stage we believe this was an isolated incident. Due to customer confidentiality obligations we are unable to comment further and will be discussing this with Ben shortly," she said.

PayPal has been asked for comment.