A German social media provider received an order to pay a €20,000 fine for a data breach that occurred in the summer of 2018.

On 22 November, the regional data protection watchdog LfDI Baden-Württemberg announced that it had imposed the fine on a local “social media provider” after the organization filed a data breach report on 8 September 2018.

LfDI Baden-Württemberg’s press release doesn’t name the company, but it does provide details about the data breach. In July 2018, bad actors stole personal information including passwords and email addresses from approximately 330,000 users. Those criminals then posted that information online.

The nature of the incident is consistent with an attack that affected Knuddels, a German chat service. But the total number of affected users might have been much higher. Per Spiegel Online’s reporting, unknown individuals apparently made off with 808,000 e-mail addresses and 1,872,000 pseudonyms and passwords.

Upon learning of the attack in September 2018, Knuddels informed its users, temporarily deactivated all the accounts affected by the breach and analyzed the security of its platform. It also notified LfDI Baden-Württemberg in accordance with the European Union’s General Data Protection Regulation (GDPR). Subsequently, the data protection agency conducted its own investigation and learned that Knuddels had stored users’ passwords in plaintext, thereby violating its duty under GDPR.

Knuddels implemented several measures to improve its security architecture after submitting its data breach report. The chat platform also revealed its intention to take additional steps to boost its security before the end of the year. Given this response and the company’s transparency in working with the data protection watchdog, LfDI Baden-Württemberg said a fine of €20,000 met GDPR’s requirement of a proportionate penalty and that it wasn’t “interested in entering into a competition for the highest (Read more...)