[BreachExchange] Knuddels Flirt App Slapped with Hefty Fine After Data Breach

[Destry Winant]

https://threatpost.com/knuddels-flirt-app-slapped-with-hefty-fine-after-data-breach/139384/

It’s Germany’s first GDPR fine, for an incident that affected millions
of accounts.

Germany has slapped a popular in-region dating, flirting and chat
service with a €20,000 fine (or around $22,667), after a hack affected
more than 1.8 million accounts this summer.

The Baden-Württemberg Data Protection Authority announced last week it
had issued the fine, which is the country’s first to be doled out
under the E.U.-wide General Data Protection Regulation that went into
effect last May.

The social chat service, Knuddels, saw about 808,000 email addresses
and over 1.8 million usernames and passwords exposed after an attack
in July; the perpetrators went on to publish the information online at
Pastebin and the Mega cloud storage service in cleartext form. An
investigation by regulators showed that the website stored its data in
plain text with no safeguards – which Knuddels confirmed.

“In 2012, the storage of passwords was introduced as a hash,” the
company said on its message boards (translation by Google). “The
non-hashed version of the passwords, however, was also preserved.”

The company quickly deleted the un-hashed version of the passwords,
adding, “We are sorry that we did not take this step earlier.”

Knuddels learned of the attack in September, and went on to inform its
users, temporarily deactivating all accounts. It also notified LfDI
Baden-Württemberg in accordance with the GDPR and is implementing
additional security measures.

“Knuddels is safer than ever,” Holger Kujath, the managing director of
Knuddels, told Spiegel Online.

Greg Silberman, chief privacy officer at Cylance, told Threatpost that
the enforcement brings a bit of clarity to the GDPR’s language around
compliance, which is notoriously vague.

“While only one of the 99 Articles of the GDPR addresses Security of
Data Processing (Article 32), this fine should serve as a reminder to
companies large and small that part of their compliance obligation
under GDPR is ‘to implement appropriate technical and organizational
measures to ensure a level of security appropriate to the risk,'” he
told us. “A company may perfectly comply with the other 98 Articles of
the GDPR, but if they don’t implement appropriate security measures,
they will still be fined.”

The fine would have been higher, but the company’s transparency in
working with the data protection watchdog stood it in good stead.
Depending on the severity of the incident, the GDPR provides for fines
of up to €20 million or 4 percent of the annual revenue of the prior
fiscal year. The regulators said that the penalty was “proportionate.”

“Those who learn from harm and act transparently to improve data
protection can emerge stronger as a company from a hacker attack,”
LfDI Baden-Württemberg said in a notice. “As a fine, the LfDI is not
interested in entering into a competition for the highest possible
fines. The bottom line is improving privacy and data security for the
users.”

The GDPR has been slow to result in significant fines, but the tide
could be turning on that, according to Mike Bittner, digital and
security operations manager at The Media Trust.

“The growing number of data privacy regulations are changing business
practices in ways that will be unalterable,” he said via email. “In
today’s post-GDPR world, data compliance is a revenue strategy. That
means two important points: first, all businesses must obtain
informed, specific consent from consumers before collecting their
data, and, second, they must ensure that data is secure…While
companies might be able to reduce the penalties by demonstrating
transparency, quick remediation, and the desire to cooperate with
regulators, the unwanted media attention on the security mishap and
GDPR sanction could erode consumers’ trust in their brand and reduce
revenues.”