Security

'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

PLAIN TEXT passwords showed up on file-hosting site


German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018).

The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at Pastebin (only 8,000 members affected) and Mega.nz (a much bigger breach). The company duly notified its users and the Baden-Württemberg data protection authority.

The largest breach, according to Spiegel Online, exposed over 800,000 email addresses and more than 1.8 million user pseudonyms with their associated passwords had been published on Mega.nz. The chat platform said it had verified 330,000 of the published emails.

The regional data watchdog deemed that plain text storage of passwords breached legislation that implements the GDPR in Germany (specifically article 32 of the DS-SGVO), and imposed its first penalty under the regulation.

Announcing the fine, the authority noted Knuddels' cooperation, so presumably the fine could have been higher.

"By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data," the authority said.

As well as acknowledging Knuddels' cooperation, the authority's State Commissioner for Data Protection and Freedom of Information, Stefan Brink, said it was avoiding the temptation to enter a "competition for the highest possible fines".

The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted. ®

Send us news
39 Comments

The UK Digital Information Bill: Brexit dividend or data disaster?

Move could 'weaken' Brits' personal data rights when info is transferred outside Europe

Record breach of French government exposes up to 43 million people's data

Zut alors! Department for registering and helping unemployed people broken into

Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit

GDPR claim alleges Facebook parent's 'commercial surveillance practices are fundamentally illegal'

COVID-19 test lab accused of exposing 1.3 million patient records to open internet

Now that's a Dutch crunch

France fines Amazon €32M for watching staff so much they'd have to 'justify each break'

French watchdog says non to excessive monitoring of workers as retail giant plans appeal

Privacy crusaders accuse X of ad-targeting that flouts EU rules

Campaign to promote 'chat control' legislation allegedly sorted users by political views, religious beliefs

Spanish media sues Meta for ignoring GDPR and harvesting data

€550 million lawsuit seeks recompense for 'systemic and massive' disregard for privacy laws

Northern Ireland cops count human cost of August data breach

Officers potentially targeted by dissidents can't afford to relocate for their safety, while others seek support to change their names

Meta sued by privacy group over pay up or click OK model

Scrolling through endless humblebrags without targeted ads is a fundamental right, according to privacy expert

Watchdog bites back against blockage of $9M fine on US selfie-scraper Clearview AI

Britain's ICO claims tribunal misinterpreted law, wants case revisited

What do Apple, Meta, TikTok have in common? Fighting off Europe's stiff antitrust rules

Gatekeeper status under DMA? Don't you know who I am?

What to expect when the UK-US Data Bridge comes into force this week

Britain's privacy watchdog still not happy that agreement 'appropriately' protects sensitive data