German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018).
The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at Pastebin (only 8,000 members affected) and Mega.nz (a much bigger breach). The company duly notified its users and the Baden-Württemberg data protection authority.
The largest breach, according to Spiegel Online, exposed over 800,000 email addresses and more than 1.8 million user pseudonyms with their associated passwords had been published on Mega.nz. The chat platform said it had verified 330,000 of the published emails.
The regional data watchdog deemed that plain text storage of passwords breached legislation that implements the GDPR in Germany (specifically article 32 of the DS-SGVO), and imposed its first penalty under the regulation.
Announcing the fine, the authority noted Knuddels' cooperation, so presumably the fine could have been higher.
"By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data," the authority said.
As well as acknowledging Knuddels' cooperation, the authority's State Commissioner for Data Protection and Freedom of Information, Stefan Brink, said it was avoiding the temptation to enter a "competition for the highest possible fines".
The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted. ®