Security

'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

PLAIN TEXT passwords showed up on file-hosting site


German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018).

The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at Pastebin (only 8,000 members affected) and Mega.nz (a much bigger breach). The company duly notified its users and the Baden-Württemberg data protection authority.

The largest breach, according to Spiegel Online, exposed over 800,000 email addresses and more than 1.8 million user pseudonyms with their associated passwords had been published on Mega.nz. The chat platform said it had verified 330,000 of the published emails.

The regional data watchdog deemed that plain text storage of passwords breached legislation that implements the GDPR in Germany (specifically article 32 of the DS-SGVO), and imposed its first penalty under the regulation.

Announcing the fine, the authority noted Knuddels' cooperation, so presumably the fine could have been higher.

"By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data," the authority said.

As well as acknowledging Knuddels' cooperation, the authority's State Commissioner for Data Protection and Freedom of Information, Stefan Brink, said it was avoiding the temptation to enter a "competition for the highest possible fines".

The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted. ®

Send us news
39 Comments

Spain, Austria not convinced location data is personal information

Privacy group NOYB sues to get telcos to respect GDPR data access rights

Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

Continue reading

Europe's GDPR coincides with dramatic drop in Android apps

Privacy rules increase cost, reduce choice, slash revenues, study concludes

Europe's data protection regime has reduced the number of apps available in Google Play by "a third," increased costs, and reduced developer revenues, according to a study published Monday.

And with higher costs, fewer apps are being created, to the detriment of consumers and the mobile app economy, it claims.

"At the start of our sample period in July 2016, our data on the contain 2.1 million apps in the Google Play Store, while AppBrain reported 2.2 million.26 The number of Play Store apps in our sample then rises to 2.8 million in the fourth quarter of 2017, then falls by almost one million – about 32 percent – by the end of 2018. Available apps in AppBrain saw a similar decline, by 31 percent between the beginning of 2018 and the end of 2018

Continue reading

Lawyers say changes to UK data law will make life harder for international businesses

Concerns raised over government drive to implement distinct post-Brexit policy

Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK.

Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling Conservative party planned to replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy.

Continue reading

Tech pros warn EU 'data adequacy' at risk if Brexit Britain goes its own way

Show us that benefits outweigh the cost, BCS challenges government

BCS, The Chartered Institute for IT, has warned that proposed changes to Britain's data protection rules must not put the flow of data between the EU and the UK at risk.

The professional body said the supposed benefits of a leaner data protection regime – something the government promised last week – should not come at the expense of the UK's current "data adequacy" arrangement with the EU.

The UK remained compliant with the EU's General Data Protection Regulation (GDPR) when it formally left the EU at the end of 2020. Its interpretation of EU law meant that the trading bloc gave the UK an "adequacy" ruling, permitting data sharing across the border.

Continue reading

China's vice premier Liu He advocates technology and government cooperation

After years of crackdowns, Beijing changing its tune on the industry

The vice premier of China and Xi Jinping's economic right hand man, Liu He, has offered a rare show of support to China's tech industry – both domestic and abroad.

According to state-sponsored media, Liu told around 100 members of the Chinese People's Political Consultative Congress (CPPCC) it is important to have a good relationship between the government and tech, and to research and support specific measures that grow the platform economy.

"It is necessary to wage a successful battle for the strategic ground of critical core technologies," Liu said, according to Xinhua news agency.

Continue reading

AI-powered browser extension to automatically click away cookie pop-ups now promised

Tool disables non-essential tokens

A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web.

The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of choices in these online consent forms to disable all non-essential cookies on a website. The resulting software can therefore spare netizens from having to manually reject cookies presented by a website.

When confronted with cookie popups, which are required by European law and other legislation, many users simply click "accept all," despite the fact that unnecessary cookies may compromise privacy, the project's paper stated. Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option, to discourage people from disabling tracking cookies.

Continue reading

Big Tech revenues under threat from EU law proposals

Digital Markets Act rules agreed, set to include fines of up to 10% of turnover and power to break up businesses

Sanctions for non-compliance with new EU powers could hit tech giants with fines of up to 10 percent of their worldwide turnover – that's around $21 billion in the case of dominant online retailer Amazon.

The political bloc's legislator has set out agreed rules to tackle dominance of big tech firms deemed "gatekeepers" because of their control over broad sets of services within their platforms.

Under Digital Market Act (DMA) outlined last night, the European Commission will have powers to designate companies as gatekeepers following a market investigation.

Continue reading

Android's Messages, Dialer apps quietly sent text, call info to Google

Hashed text, phone call logs collected without opt-out nor specific notice

Updated Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law.

According to a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.

"The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google."

Continue reading

F-Secure spins out new enterprise security business: WithSecure

CEO tells The Reg of new branding ahead of Finnish vendor's corporate split

F-Secure's enterprise-facing business will have a new brand – WithSecure – and a sharpened focus when the company splits into two independent operations.

The move comes a month after the security vendor's board of directors revealed that the 34-year-old Helsinki-based company would carve out the consumer security business from its enterprise unit. The consumer business will retain the F-Secure name.

The final break will come this summer after a general meeting in May. The split is scheduled to complete on June 30.

Continue reading

UK criminal defense lawyer hadn't patched when ransomware hit

Brit solicitor fined after admitting it took 5 months to install critical update

Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018*.

The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.

Continue reading

EU proposes law forcing manufacturers to share data

Users set to get right to access products' data stream, public sector might dip in too

In proposals aimed at IoT and machine data, the European Commission has put forward the Data Act, which promises to force manufacturers to share streams of after-sale data with third-party tech firms.

Continue reading

EU Data Protection Board probes public sector use of cloud

Privacy: We've heard of it. Do you know where your data is?

Updated The European Data Protection Board (EDPB) has kicked off its first coordinated enforcement action, taking a long, hard look at the use of cloud-based services by the public sector.

It's going to be a big one, involving the launch of investigations by 22 national authorities across the European Economic Area (EEA) and encompass more than 75 public bodies including EU institutions. A wide range of services are to be examined including health, finance, tax, and central buyers or providers of IT services.

As for how it will work, at national level a questionnaire will be handed out. A formal investigation might then begin depending on the answers.

Continue reading