On Nov. 22, 2018, the State Commissioner for Data Protection and Freedom of Information (LfDI) of the German state of Baden-Württemberg published information on the first DSGVO fine imposed in Germany. The fine was imposed on Knuddels GmbH & Co KG, the operator of the well-known chat portal knuddels.de.
Due to an error by the responsible parties, attackers were able to obtain the personal data of approximately 330,000 members, which is why the authority imposed a fine of € 20,000. According to the data protection commissioner of the state of Baden-Württemberg, the transparent procedure and the immediate reporting of the data theft were the main reasons for the lenient verdict .
We would like to work through this case in detail.
The portal knuddels.de was founded in Karlsruhe in 1999 and was one of the most popular chat platforms in German-speaking countries, especially in the early 2000s. Users registered on the website and could chat in various chat rooms. In addition, there were a variety of loyalty bonuses such as smileys, own home pages, virtual roses, etc., which were available to loyal users and/or could be purchased. Another special feature was that members could be elected for various functions (moderator, administrator) by the community and were thus integrated into the ongoing operation. These functions were carried out by the people free of charge.
On September 6, the operators were informed by a former member of the platform that about 8000 records were published on a platform called Pastebin. All data sets contained the nickname (pseudonym chosen by the user, which is required for logging in) and password, as well as e-mail addresses (in 57% of cases), first name (41%) and place of residence (30%) of the users. The main problem was that the passwords were available in plain text and not as a hash value, as provided for in the state of the art.
In the so-called “hashing”, the password is “sent” by a mathematical function. The result is the so-called hash. From the hash, the entered password can NOT be back-calculated, so not even the platform operator should know the password. If a user wants to perform a login, the entered password is sent through the same hash function and the result is compared with the entry in the database.
Measures taken by the operators
As an initial measure, the operator blocked the accounts of the affected members and arranged for the deletion of the data on the Pastebin platform. Besides, the passwords stored in plain text were removed from the databases. In addition, the data protection commissioner (not to be confused with the state data protection commissioner!) was informed about the incident. According to the operators, these measures took place until September 7, 02:00, while a function was also implemented so that users could reset their account password.
Already the next day knuddels.de was informed by another member about new published records. At a file hoster the records of about 1.9 million were published. As a result, all Knuddels users had to change their password.
According to the authorities, the data breach notification was made by the operators on September 8 and thus within the 72-hour period prescribed by the GDPR (see GDPR Article 33 Paragraph 1).
An outdated backup server was identified as the cause of the data theft. Due to a lack of updates, this was a weak point in the security system.
It is also worth mentioning the operators’ statement that the passwords have been stored as hash values since 2012. For the “Password Filter” function, however, the password was still additionally stored in plain text.
This function was a safety measure. Once the personal password was included in a chat message, the sending of this message was blocked, even if the input was backwards. The background can be found in the bonus system of the platform. Shortly after the launch of the platform, there were already a number of dishonest users who tried to steal the loyalty bonuses of inexperienced members, such as so-called hugs (a kind of virtual hug). For this, they sent messages to the victims, which appeared to be system messages and prompted to enter the password. The password filter should prevent this.
The notification to the data protection authority resulted in fine proceedings against Knuddels GmbH & Co KG. According to Stefan Brink, head of the LfDI, the company’s transparent behavior towards both the authorities and the affected parties had a particularly positive effect on the level of penalties. The notification to the authority was made in due time and also the users were informed several times about the state of affairs, not only via the own homepage but also via other channels like Facebook and Twitter. In addition, an email was sent to all members when it became known that all users were affected by the data leak. In this message it was also pointed out that the credentials should be changed even on foreign websites if the same password was used there.
In addition to the transparent information policy, the fact that the operators took further measures to increase safety in the weeks following the incident was also highlighted as positive. According to the LfDI press release, these measures were carried out in close cooperation with the latter.
The fine of € 20,000 may seem high at first, but it amounts to just one cent per stolen record. According to the GDPR, a penalty must be “effective, proportionate and dissuasive” (see GDPR Article 83 Paragraph 1). In its press release, the data protection authority emphasized several times that the exemplary behavior of the company contributed significantly to the mitigation of the penalty. Without this willingness and the comprehensive information campaign for those affected, the fine would have been significantly higher.
Companies that learn from damage and work transparently to improve data protection can also emerge stronger from a hacker attack. As a fine authority, the LfDI is not interested in competing for the highest possible fines. In the end, what counts is the improvement of data protection and data security for the users concerned.
– Stefan Brink, State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
This quote summarizes the basic considerations of the General Data Protection Regulation very well. Nevertheless, it can be assumed that fines will increase in the future. The sale of personal data is a flourishing business, and on the black market, significantly higher sums are paid for e-mail addresses including plain-text passwords. If the authority does not follow suit, there is a risk that companies will sell personal data illegally and deliberately accept fines.
In conclusion, regular maintenance of IT systems is essential. This also includes the constant improvement of the same. Otherwise, the security of data processing is not permanently guaranteed (see Security of processing).