Updated: Apr 13, 2020
A German Data Protection Authority, Baden-Württemberg Data Protection Authority (LfDI) imposed a fine of 20,000 Euros after a social media provider violated its data security obligations under Art. 32 of the GDPR following the theft of unencrypted data from a local chat app, Knuddels, affecting hundreds of thousands of users. This is quite a small price to pay considering how the company stored user passwords and emails in just plain text.
The attackers then published 330,000 legitimate credentials on Pastebin and Mega last September 2018. However, the real number of affected users itself is thought to be much bigger than the confirmed figures with over 800,000 email addresses and over 1.8 million passwords reportedly stolen.
Despite Knuddels breaking a core requirement of the GDPR, the company’s very good cooperation with the LfDI was key to avoiding a higher level of fines, responding with speed and transparency.
In a statement, the regional regulator said: “The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users’ data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI,”
“The very good cooperation with the LfDI spoke in particular to the benefit of the company. The transparency of the company was just as exemplary as the readiness, the guidelines and recommendations of the State Commissioner for Data Protection and Freedom of Information. In this way, the security of the user data of the social media service could be significantly improved in a very short time.”
The course taken in this case just might put GDPR in a positive light and will reassure Data Protection Officers (DPO) waiting to see how regulators would enforce the law, showing how EU doesn’t plan on using the regulation as a cash mill, instead, putting emphasis on education rather than making an example of organizations.