After a hacker attack on the chat platform Knuddels, more than 808,000 email addresses as well as 1,872,000 pseudonyms and passwords stored in plain text were published. As a result, the supervisory authority had only imposed a fine of EUR 20,000, heise online reported on Nov. 22, 2018.
Praise for gross negligence?
According to the report, Stefan Bring, the data protection commissioner of Baden-Württemberg, is said to have praised the exemplary cooperation with the company. The promise of improvement and the willingness to cooperate are said to have persuaded the supervisory authority to limit itself to a fine of EUR 20,000.
Article 33 of the GDPR (Notification of personal data breaches to the supervisory authority) and Article 34 of the GDPR (Notification of the data subject of a personal data breach) clearly state what the company must do in the event of a breach. If a company adheres to this in the event of a breach, this is not exemplary, but DSGVO-compliant and self-evident. No more and no less.
Passwords in plain text? That is not state of the art
According to Article 32 of the GDPR (Security of Processing) every company is obliged to carry out the processing of personal data according to the state of the art. Storing passwords in plain text is definitely not state of the art. In my view, this is grossly negligent and should be punished with much more than 20,000 EUR fine.
According to golem.de, Knuddels.de wants to spend a six-figure sum for the fine and the upcoming improvement of IT security. So if 20,000 EUR fine is paid and at least 80,000 EUR is invested in the state of the art, it is a considerable sum, but long overdue.
Data protection impact assessment
Art. 35 GDPR - Data Protection Impact Assessment states in para. 7 lit. d) "The impact assessment shall include at least: the mitigating measures envisaged to address the risks, including safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects".
A properly conducted data protection impact assessment would have revealed that the Knuddels online service simply stores passwords in plain text, thus opening the door to unauthorized access. Password encryption and authentication security are known to be central issues in data protection.
Anyone who processes personal data in large (even small) quantities and does not carry out a data protection impact assessment, or only a superficial one, is acting with gross negligence.