• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

First GDPR fine imposed in Germany

22/11/2018 by Andreas Schindler

On Nov. 22, 2018, the State Commissioner for Data Protection and Freedom of Information (LfDI) of the German state of Baden-Württemberg published information on the first DSGVO fine imposed in Germany. The fine was imposed on Knuddels GmbH & Co KG, the operator of the well-known chat portal knuddels.de.Knuddels.com logo

Due to an error by the responsible parties, attackers were able to obtain the personal data of approximately 330,000 members, which is why the authority imposed a fine of € 20,000. According to the data protection commissioner of the state of Baden-Württemberg, the transparent procedure and the immediate reporting of the data theft were the main reasons for the lenient verdict .

We would like to work through this case in detail.

General information

The portal knuddels.de was founded in Karlsruhe in 1999 and was one of the most popular chat platforms in German-speaking countries, especially in the early 2000s. Users registered on the website and could chat in various chat rooms. In addition, there were a variety of loyalty bonuses such as smileys, own home pages, virtual roses, etc., which were available to loyal users and/or could be purchased. Another special feature was that members could be elected for various functions (moderator, administrator) by the community and were thus integrated into the ongoing operation. These functions were carried out by the people free of charge.

Data theft

On September 6, the operators were informed by a former member of the platform that about 8000 records were published on a platform called Pastebin. All data sets contained the nickname (pseudonym chosen by the user, which is required for logging in) and password, as well as e-mail addresses (in 57% of cases), first name (41%) and place of residence (30%) of the users. The main problem was that the passwords were available in plain text and not as a hash value, as provided for in the state of the art.

Password hash

In the so-called “hashing”, the password is “sent” by a mathematical function. The result is the so-called hash. From the hash, the entered password can NOT be back-calculated, so not even the platform operator should know the password. If a user wants to perform a login, the entered password is sent through the same hash function and the result is compared with the entry in the database.

Measures taken by the operators

As an initial measure, the operator blocked the accounts of the affected members and arranged for the deletion of the data on the Pastebin platform. Besides, the passwords stored in plain text were removed from the databases. In addition, the data protection commissioner (not to be confused with the state data protection commissioner!) was informed about the incident. According to the operators, these measures took place until September 7, 02:00, while a function was also implemented so that users could reset their account password. 

Already the next day knuddels.de was informed by another member about new published records. At a file hoster the records of about 1.9 million were published. As a result, all Knuddels users had to change their password.

According to the authorities, the data breach notification was made by the operators on September 8 and thus within the 72-hour period prescribed by the GDPR (see GDPR Article 33 Paragraph 1).

Causes

An outdated backup server was identified as the cause of the data theft. Due to a lack of updates, this was a weak point in the security system.

It is also worth mentioning the operators’ statement that the passwords have been stored as hash values since 2012. For the “Password Filter” function, however, the password was still additionally stored in plain text.

Password filter

This function was a safety measure. Once the personal password was included in a chat message, the sending of this message was blocked, even if the input was backwards. The background can be found in the bonus system of the platform. Shortly after the launch of the platform, there were already a number of dishonest users who tried to steal the loyalty bonuses of inexperienced members, such as so-called hugs (a kind of virtual hug). For this, they sent messages to the victims, which appeared to be system messages and prompted to enter the password. The password filter should prevent this.

DSGVO procedure

The notification to the data protection authority resulted in fine proceedings against Knuddels GmbH & Co KG. According to Stefan Brink, head of the LfDI, the company’s transparent behavior towards both the authorities and the affected parties had a particularly positive effect on the level of penalties. The notification to the authority was made in due time and also the users were informed several times about the state of affairs, not only via the own homepage but also via other channels like Facebook and Twitter. In addition, an email was sent to all members when it became known that all users were affected by the data leak. In this message it was also pointed out that the credentials should be changed even on foreign websites if the same password was used there.

In addition to the transparent information policy, the fact that the operators took further measures to increase safety in the weeks following the incident was also highlighted as positive. According to the LfDI press release, these measures were carried out in close cooperation with the latter.

Penalty amount

The fine of € 20,000 may seem high at first, but it amounts to just one cent per stolen record. According to the GDPR, a penalty must be “effective, proportionate and dissuasive” (see GDPR Article 83 Paragraph 1). In its press release, the data protection authority emphasized several times that the exemplary behavior of the company contributed significantly to the mitigation of the penalty. Without this willingness and the comprehensive information campaign for those affected, the fine would have been significantly higher.

 

Conclusion

Companies that learn from damage and work transparently to improve data protection can also emerge stronger from a hacker attack. As a fine authority, the LfDI is not interested in competing for the highest possible fines. In the end, what counts is the improvement of data protection and data security for the users concerned.

– Stefan Brink, State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

This quote summarizes the basic considerations of the General Data Protection Regulation very well. Nevertheless, it can be assumed that fines will increase in the future. The sale of personal data is a flourishing business, and on the black market, significantly higher sums are paid for e-mail addresses including plain-text passwords. If the authority does not follow suit, there is a risk that companies will sell personal data illegally and deliberately accept fines.

In conclusion, regular maintenance of IT systems is essential. This also includes the constant improvement of the same. Otherwise, the security of data processing is not permanently guaranteed (see Security of processing).

 

Press release of the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

 


Are you looking for solutions to implement the GDPR? With easyGDPR, you get the right software and, if required, advice to meet the requirements of the GDPR.

Category iconGDPR fines

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept