German chat site faces fine under GDPR after data breach

GermanChat_GDPR-623x432.jpg

The country’s first fine under GDPR is lower than might have been expected, however, as the company was acknowledged for its post-incident cooperation and enhanced security measures.

A German social media platform called Knuddels.de has been fined with €20,000 following a breach that exposed the personal information of 330,000 users, including their passwords and e-mail addresses, according to a statement (in German) by the regional Baden-Württemberg data protection watchdog (LfDI Baden-Württemberg).

The chat/flirt/social media site, which is one of the country’s largest chat platforms, notified the authority in September after it learned that 1.87 million username/password combinations and over 800,000 e-mail addresses were dumped on Mega.nz and Pastebin.com.

The site said that it had verified that 330,000 emails belonged to unique users. In some cases, the users’ real first names and places of residence were also leaked in the attack that was found to have taken place in July.

The probe showed that the site stored the passwords in plain text, for which it ultimately earned itself the fine.

“By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a),” reads the statement by the data protection authority. The provision concerned of the European Union’s General Data Protection Regulation(GDPR) covers “the pseudonymisation and encryption of personal data”.

The data protection authority acknowledged what it called “very good cooperation” and “exemplary transparency” on the platform’s part, as well as a range of enhanced security measures that the site has put in place since the incident occurred and that continue to be implemented in conjunction with the authority.

This – and the watchdog’s considerations for “the overall financial burden on the company” and other factors – appears to have helped to ultimately keep the penalty in relatively low figures.

GDPR envisages maximum potential fines up to €20 million (£17.6 million) or 4% of the offender’s global annual turnover.

“Knuddels is now safer than ever,” the platform’s managing director Holger Kujath was quoted as saying for Spiegel. Knuddels.de, operating since 1999, claims to have more than two million members.

written by Tomas Foltyn, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s