After a hacker attack on the chat platform “Knuddels”, the social media company was fined a five digit amount by the fines office of the State Commissioner for Data Protection and Freedom of Information (LfDI) of Baden-Württemberg. Among other things, Knuddels had stored user passwords unencrypted.
In early September, the platform disclosed that personal data of more than 300,000 users had been stolen. The attack, which had occurred as early as in July 2018, was not discovered until immediately before the disclosure to the data protection authority. Apart from passwords that had been stored in clear text, e-mail addresses and user names of users were stolen.
By storing the passwords in clear text, the Karlsruhe-based company had “knowingly violated its duty to ensure data security in the processing of personal data”, said the supervisory authority.
Exemplary cooperation has positive effect on fine
In defense of the company, the supervisory authority stated the extensive cooperation with the data protection authority and the prompt notification of users about the attack. This cooperation led to the relatively small fine. The GDPR provides for fines of up to 20 million euros for infringements. Companies can be fined up to four percent of their annual global turnover.
An elaborate data protection concept and a review of existing data protection measures are essential for companies that wish to achieve the best possible protection against hacker attacks and fines that could threaten their existence. Our data protection experts will be pleased to advise you!