German company fined for storing passwords in plain text

A German social media service provider has been fined 20,000 euros after a data breach revealed that the passwords had been stored unencrypted.

The company contacted the LfDI, the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, on September 8, to report a data breach. In an attack in July, 330,000 users’ personal information, including passwords and email addresses, was stolen. According to Der Spiegel, it concerns the chat platform Knuddels and 808,000 email addresses and 1.8 million usernames were stolen. In total, Knuddels would have 1.2 million unique users.

After Knuddels handed over the details about the hack and its infrastructure, the data protection authority LfDI found that the platform had stored its users’ passwords in plain text, i.e. unencrypted. The company would use the plain text passwords for a ‘password filter’ to prevent them from getting into the hands of unauthorized persons, the LfDI writes.

By storing the passwords insecurely, the company has allegedly violated Article 32(1) of the GDPR, which requires data processors to take appropriate technical measures “to ensure a level of security appropriate to the risk”, including through pseudonymization and encryption. of personal data. In the meantime, the service is said to have taken measures to put its IT security infrastructure in order. In determining the amount of the fine, the total costs for the company were taken into account, which would amount to an undisclosed amount of six figures.