Author Topic: First GDPR Sanction in Germany Fines Flirty Chat Platform EUR 20,000  (Read 672 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Following a hack that resulted in leaking about 808,000 email addresses and over 1.8 million usernames and passwords, a social network website in Germany received a fine of EUR 20,000 from the Baden-Württemberg Data Protection Authority.

In July this year, flirty chat platform Knuddels.de suffered a data breach and the information stolen from its servers was published online in clear form. A member of the staff said at the time that the incident affected all users that had an account with the service or a username for the chat platform on July 20, 2018.

According to a post from another team member, 330,000 of the leaked email addresses were verified, and once Knuddels learned of the leaks (one on Pastebin, another on Mega cloud storage service), it improved security measures, alerted the users and reset their passwords.

It was later discovered that the website did not apply any form of protection for sensitive information such as passwords and stored them in plain text.

Sanctions under GDPR consider multiple aspects

If you think that we made a type about the penalty to be paid and it is missing zero, it is not. To remove all confusion, converted to other currencies, the fine incurred by Knuddels.de is $23,000, or around £18,000.

This is the first penalty in Germany under the European Union General Data Protection Regulation (GDPR), which entered into force in May this year.

Depending on the level of the infringement, the GDPR provides for fines of up to EUR 20 million or "4% of the annual revenue of the prior fiscal year, whichever is higher."

In calculating the penalty it is also considered the number of the people impacted, the nature of the infringement, mitigation actions, preventative measures, cooperation with the supervisory authority, transgression record, and notification of data protection enforcer.

GDPR fine achieved its goal

It appears that Knuddels.de checked almost all the boxes for a more lenient penalty, but failed to comply with data security norms specified by Article 32, letter a) of the GDPR regarding pseudonymization and encryption of users personal data.

The German Data Protection Authority says that Knuddels.de proved exemplary transparency,  cooperation and was quick to implement security upgrades.

Stefan Brink, the State Commissioner for the Baden-Württemberg Data Protection and Freedom of Information (LfDI), says that the organization he runs is not interested in entering a competition for the highest possible fines because the end goal is to improve privacy and data security for the users.

Knuddels may seem to have gotten away with a slap on the wrist, but they did have to act fast to mitigate the security faults and ensure minimum impact on its users. These actions occurred over the course of a few weeks, which is no small feat. Furthermore, the company agreed to implement additional security measures in coordination with the LfDI.

When you draw the line, Knuddels.de was forced into an unplanned improvement of its security posture, adding to a significant overall financial burden.

source
« Last Edit: November 23, 2018, 06:55:00 PM by javajolt »