This article first appeared in Threat Post on November 26, 2018.
It’s Germany’s first GDPR fine, for an incident that affected millions of accounts.
Germany has slapped a popular in-region dating, flirting and chat service with a €20,000 fine (or around $22,667), after a hack affected more than 1.8 million accounts this summer.
The Baden-Württemberg Data Protection Authority announced last week it had issued the fine, which is the country’s first to be doled out under the E.U.-wide General Data Protection Regulation that went into effect last May.
The social chat service, Knuddels, saw about 808,000 email addresses and over 1.8 million usernames and passwords exposed after an attack in July; the perpetrators went on to publish the information online at Pastebin and the Mega cloud storage service in cleartext form. An investigation by regulators showed that the website stored its data in plain text with no safeguards – which Knuddels confirmed.
“In 2012, the storage of passwords was introduced as a hash,” the company said on its message boards (translation by Google). “The non-hashed version of the passwords, however, was also preserved.”
The company quickly deleted the un-hashed version of the passwords, adding, “We are sorry that we did not take this step earlier.”
Knuddels learned of the attack in September, and went on to inform its users, temporarily deactivating all accounts. It also notified LfDI Baden-Württemberg in accordance with the GDPR and is implementing additional security measures.
“Knuddels is safer than ever,” Holger Kujath, the managing director of Knuddels, told Spiegel Online.
Greg Silberman, chief privacy officer at Cylance, told Threatpost that the enforcement brings a bit of clarity to the GDPR’s language around compliance, which is notoriously vague.
“While only one of the 99 Articles of the GDPR addresses Security of Data Processing (Article 32), this fine should serve as a reminder to companies large and small that part of their compliance obligation under GDPR is ‘to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,’” he told us. “A company may perfectly comply with the other 98 Articles of the GDPR, but if they don’t implement appropriate security measures, they will still be fined.”
The fine would have been higher, but the company’s transparency in working with the data protection watchdog stood it in good stead. Depending on the severity of the incident, the GDPR provides for fines of up to €20 million or 4 percent of the annual revenue of the prior fiscal year. The regulators said that the penalty was “proportionate.”
“Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack,” LfDI Baden-Württemberg said in a notice. “As a fine, the LfDI is not interested in entering into a competition for the highest possible fines. The bottom line is improving privacy and data security for the users.”
The GDPR has been slow to result in significant fines, but the tide could be turning on that, according to Mike Bittner, digital and security operations manager at The Media Trust.
“The growing number of data privacy regulations are changing business practices in ways that will be unalterable,” he said via email. “In today’s post-GDPR world, data compliance is a revenue strategy. That means two important points: first, all businesses must obtain informed, specific consent from consumers before collecting their data, and, second, they must ensure that data is secure…While companies might be able to reduce the penalties by demonstrating transparency, quick remediation, and the desire to cooperate with regulators, the unwanted media attention on the security mishap and GDPR sanction could erode consumers’ trust in their brand and reduce revenues.”