On 22.11.2018, the State Commissioner for Data Protection and Freedom of Information (LfDI) of the German Federal State of Baden-Württemberg published information on the first DSGVO penalty imposed in Germany. The fine was imposed on Knuddels GmbH & Co. KG, the operator of the well-known chat portal knuddels.de.
Due to a mistake made by the responsible persons, attackers were able to access the personal data of approximately 330,000 members, which is why the authority imposed a fine of € 20,000. According to the data protection officer of the state of Baden-Württemberg, the transparent procedure and the immediate reporting of the data theft were the main reasons for the mild verdict.
We’d like to go over this case in more detail.
The portal knuddels.de was created 1999 in Karlsruhe and was particularly at the beginning of the 2000’s one of the most popular Chat platforms in the German-speaking countries. Users registered on the website and were able to chat in various chat rooms. Besides there was a multiplicity of loyalty bonuses such as Smileys, own Homepages, virtual roses, etc., which were available for faithful users and/or could be acquired liable to pay the costs. Another special feature was that members could be selected by the community for various functions (moderator, administrator) and thus integrated into the running operation. These functions were carried out by the persons free of charge.
On 6 September, a former member of the platform informed the operators that approximately 8000 data sets had been published on a platform called Pastebin. The nickname (pseudonym chosen by the user, which is required for registration) and password were included in all data records, as well as e-mail addresses (in 57% of the cases), first name (41%) and place of residence (30%) of the users. The main problem was that the passwords were available in plain text and not as a hash value, as is the case with the state of the art.
With the so-called “hashen”, the password is “sent” by a mathematical function. The result is the so-called hash. The entered password cannot be recalculated from the hash, so not even the platform operator should know the password. If a user wants to log in, the entered password is sent by the same hash function and the result is compared with the entry in the database.
Measures taken by operators
As an initial measure, the operator blocked the accounts of the members concerned and had the data deleted from the Pastebin platform. In addition, the passwords stored in plain text were removed from the databases. In addition, the data protection officer (not to be confused with the state data protection officer!) was informed about the incident. According to the operators, these measures were carried out by September 7, 2 a.m., and a function was implemented to allow users to reset their account password.
Already on the next day knuddels.de was informed by another member about new published data records, whereby with a file Hoster the data records of approx. 1.9 million were published. As a result, all Knuddels users had to change their password.
According to the authorities, the operators reported the data protection breach on 8 September and thus within the 72-hour period prescribed by the GDPR (see GDPR article 33 Paragraph 1).
An outdated backup server was identified as the cause of the data theft. Due to missing updates it was a weak point in the security system.
Also worth mentioning is the statement by the operators that passwords have been stored as hash values since 2012. For the “Password filter” function, however, the password was also saved in plain text.
This function was a security measure. Once the personal password was included in a chat message, sending that message was blocked, even if you entered it backwards. The background can be found in the platform’s bonus system. Shortly after the platform was launched, there were many dishonest users who tried to steal their loyalty bonuses from inexperienced members, such as so-called Knuddels (virtual hugs). In return, these messages were sent to the victims, who acted like system messages and prompted them to enter their password. This should be prevented by the password filter.
The report to the data protection authority led to a fine proceeding against Knuddels GmbH & Co. KG. According to Stefan Brink, head of the LfDI, the company’s transparent actions towards the authorities and those affected in particular had a positive effect on the amount of the fine. The report to the authorities was made in due time and the users were also informed several times about the state of affairs, not only via their own homepage but also via other channels such as Facebook and Twitter. In addition, an e-mail was sent to all members when it became known that all users were affected by the data leak. In this message it was also pointed out that the login data can also be changed on other websites if the same password was used there.
In addition to the transparent information policy, it was also positively emphasised that the operators had taken further measures in the weeks following the incident to increase safety. According to the LfDI press release, these measures were taken in close cooperation with the LfDI.
Level of penalty
The fine of € 20.000,- seems high at first glance, but this is just one cent per stolen data record. According to the DSGVO, a penalty must be “effective, proportionate and dissuasive” (see GDPR Article 83 Paragraph 1). In its press release, the data protection authority repeatedly emphasised that the exemplary conduct of the company had made a considerable contribution to mitigating the punishment. Without this willingness and the comprehensive information campaign for those affected, the fine would have been significantly higher.
Who learns from damage and contributes transparently to the improvement of data protection can also emerge stronger as a company from a hacker attack. As a fine authority, the LfDI is not interested in competing for the highest possible fines. In the end, it is the improvement of data protection and data security that counts for the users concerned.
– Stefan Brink, State Commissioner for Data Protection and Freedom of Information Baden-WürttembergStefan Brink, Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg
This quote sums up the basic considerations of the basic data protection regulation very well. Nevertheless, it can be assumed that fines will rise in the future. The sale of personal data is a flourishing business and significantly higher sums are paid to the black market for e-mail addresses including plain text passwords. If the authorities do not follow suit, there is a danger that companies will unlawfully sell personal data and deliberately accept fines.
Finally, it should be noted that regular maintenance of IT systems is essential. This also includes the continuous improvement of these systems. Otherwise the security of data processing is not permanently guaranteed (see Security of processing).