Germany has slapped a popular in-region dating, flirting and chat service with a €20,000 fine (or around $22,667), after a hack affected more than 1.8 million accounts this summer.
The Baden-Württemberg Data Protection Authority announced last week it had issued the fine, which is the country’s first to be doled out under the E.U.-wide General Data Protection Regulation that went into effect last May.
The social chat service, Knuddels, saw about 808,000 email addresses and over 1.8 million usernames and passwords exposed after an attack in July; the perpetrators went on to publish the information online at Pastebin and the Mega cloud storage service in cleartext form. An investigation by regulators showed that the website stored its data in plain text with no safeguards – which Knuddels confirmed.
“In 2012, the storage of passwords was introduced as a hash,” the company [said on its message boards](<https://forum.knuddels.de/ubbthreads.php?ubb=showflat&Number=2916081>) (translation by Google). “The non-hashed version of the passwords, however, was also preserved.”
The company quickly deleted the un-hashed version of the passwords, adding, “We are sorry that we did not take this step earlier.”
Knuddels learned of the attack in September, and went on to inform its users, temporarily deactivating all accounts. It also notified LfDI Baden-Württemberg in accordance with the GDPR and is implementing additional security measures.
“Knuddels is safer than ever,” Holger Kujath, the managing director of Knuddels, told [Spiegel Online](<http://www.spiegel.de/netzwelt/web/knuddels-chat-plattform-muss-nach-hackerangriff-bussgeld-zahlen-a-1239776.html>).
Greg Silberman, chief privacy officer at Cylance, told Threatpost that the enforcement brings a bit of clarity to the GDPR’s language around compliance, which is [notoriously vague](<https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/>).
“While only one of the 99 Articles of the GDPR addresses Security of Data Processing (Article 32), this fine should serve as a reminder to companies large and small that part of their compliance obligation under GDPR is ‘to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,'” he told us. “A company may perfectly comply with the other 98 Articles of the GDPR, but if they don’t implement appropriate security measures, they will still be fined.”
The fine would have been higher, but the company’s transparency in working with the data protection watchdog stood it in good stead. Depending on the severity of the incident, the GDPR provides for fines of up to €20 million or 4 percent of the annual revenue of the prior fiscal year. The regulators said that the penalty was “proportionate.”
“Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack,” LfDI Baden-Württemberg said in [a notice](<https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-sein-erstes-bussgeld-in-deutschland-nach-der-ds-gvo/>). “As a fine, the LfDI is not interested in entering into a competition for the highest possible fines. The bottom line is improving privacy and data security for the users.”
The GDPR has been [slow to result in significant fines](<https://threatpost.com/lawsuits-aim-billions-in-fines-at-equifax-and-ad-targeting-companies/139001/>), but the tide could be turning on that, according to Mike Bittner, digital and security operations manager at The Media Trust.
“The growing number of data privacy regulations are changing business practices in ways that will be unalterable,” he said via email. “In today’s post-GDPR world, data compliance is a revenue strategy. That means two important points: first, all businesses must obtain informed, specific consent from consumers before collecting their data, and, second, they must ensure that data is secure…While companies might be able to reduce the penalties by demonstrating transparency, quick remediation, and the desire to cooperate with regulators, the unwanted media attention on the security mishap and GDPR sanction could erode consumers’ trust in their brand and reduce revenues.”
{"id": "THREATPOST:5943762C29AE4900A65FB72E1600942F", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Knuddels Flirt App Slapped with Hefty Fine After Data Breach", "description": "Germany has slapped a popular in-region dating, flirting and chat service with a \u20ac20,000 fine (or around $22,667), after a hack affected more than 1.8 million accounts this summer.\n\nThe Baden-W\u00fcrttemberg Data Protection Authority announced last week it had issued the fine, which is the country\u2019s first to be doled out under the E.U.-wide General Data Protection Regulation that went into effect last May.\n\nThe social chat service, Knuddels, saw about 808,000 email addresses and over 1.8 million usernames and passwords exposed after an attack in July; the perpetrators went on to publish the information online at Pastebin and the Mega cloud storage service in cleartext form. An investigation by regulators showed that the website stored its data in plain text with no safeguards \u2013 which Knuddels confirmed.\n\n\u201cIn 2012, the storage of passwords was introduced as a hash,\u201d the company [said on its message boards](<https://forum.knuddels.de/ubbthreads.php?ubb=showflat&Number=2916081>) (translation by Google). \u201cThe non-hashed version of the passwords, however, was also preserved.\u201d\n\nThe company quickly deleted the un-hashed version of the passwords, adding, \u201cWe are sorry that we did not take this step earlier.\u201d\n\nKnuddels learned of the attack in September, and went on to inform its users, temporarily deactivating all accounts. It also notified LfDI Baden-W\u00fcrttemberg in accordance with the GDPR and is implementing additional security measures.\n\n\u201cKnuddels is safer than ever,\u201d Holger Kujath, the managing director of Knuddels, told [Spiegel Online](<http://www.spiegel.de/netzwelt/web/knuddels-chat-plattform-muss-nach-hackerangriff-bussgeld-zahlen-a-1239776.html>).\n\nGreg Silberman, chief privacy officer at Cylance, told Threatpost that the enforcement brings a bit of clarity to the GDPR\u2019s language around compliance, which is [notoriously vague](<https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/>).\n\n\u201cWhile only one of the 99 Articles of the GDPR addresses Security of Data Processing (Article 32), this fine should serve as a reminder to companies large and small that part of their compliance obligation under GDPR is \u2018to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,'\u201d he told us. \u201cA company may perfectly comply with the other 98 Articles of the GDPR, but if they don\u2019t implement appropriate security measures, they will still be fined.\u201d\n\nThe fine would have been higher, but the company\u2019s transparency in working with the data protection watchdog stood it in good stead. Depending on the severity of the incident, the GDPR provides for fines of up to \u20ac20 million or 4 percent of the annual revenue of the prior fiscal year. The regulators said that the penalty was \u201cproportionate.\u201d\n\n\u201cThose who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack,\u201d LfDI Baden-W\u00fcrttemberg said in [a notice](<https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-sein-erstes-bussgeld-in-deutschland-nach-der-ds-gvo/>). \u201cAs a fine, the LfDI is not interested in entering into a competition for the highest possible fines. The bottom line is improving privacy and data security for the users.\u201d\n\nThe GDPR has been [slow to result in significant fines](<https://threatpost.com/lawsuits-aim-billions-in-fines-at-equifax-and-ad-targeting-companies/139001/>), but the tide could be turning on that, according to Mike Bittner, digital and security operations manager at The Media Trust.\n\n\u201cThe growing number of data privacy regulations are changing business practices in ways that will be unalterable,\u201d he said via email. \u201cIn today\u2019s post-GDPR world, data compliance is a revenue strategy. That means two important points: first, all businesses must obtain informed, specific consent from consumers before collecting their data, and, second, they must ensure that data is secure\u2026While companies might be able to reduce the penalties by demonstrating transparency, quick remediation, and the desire to cooperate with regulators, the unwanted media attention on the security mishap and GDPR sanction could erode consumers\u2019 trust in their brand and reduce revenues.\u201d\n", "published": "2018-11-26T21:34:46", "modified": "2018-11-26T21:34:46", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/knuddels-flirt-app-slapped-with-hefty-fine-after-data-breach/139384/", "reporter": "Tara Seals", "references": ["https://forum.knuddels.de/ubbthreads.php?ubb=showflat&Number=2916081", "http://www.spiegel.de/netzwelt/web/knuddels-chat-plattform-muss-nach-hackerangriff-bussgeld-zahlen-a-1239776.html", "https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/", "https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-sein-erstes-bussgeld-in-deutschland-nach-der-ds-gvo/", "https://threatpost.com/lawsuits-aim-billions-in-fines-at-equifax-and-ad-targeting-companies/139001/"], "cvelist": [], "immutableFields": [], "lastseen": "2019-11-03T07:11:38", "viewCount": 3, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:7654D3D494FA243A299CBD228DBC4A3D"]}]}, "exploitation": null, "vulnersScore": 0.7}, "_state": {"dependencies": 1678918916, "score": 1678917189, "epss": 1678939848}, "_internal": {"score_hash": "f3ecb1d41efd62695019600e6dc57f69"}}
Knuddels Flirt App Slapped with Hefty Fine After Data Breach