LfDI - O 1018/115

From GDPRhub
LfDI - O 1018/115
LogoDE-BW.png
Authority: LfDI (Baden-Württemberg)
Jurisdiction: Germany
Relevant Law: Article 32(1)(a) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
§ 105 OWiG
§ 107 OWiG
§ 464(1) StPO
§ 465 StPO
§ 107(1) Thrid Sentence
Type: Other
Outcome: n/a
Decided: 21.11.2018
Published: n/a
Fine: 20000 EUR
Parties: Knuddels GmbH & Co. KG
National Case Number/Name: O 1018/115
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: GDPRhub (in DE)
Initial Contributor: ManTechnologist

The Baden-Württemberg DPA holds, that by storing passwords in plain text, the company knowingly violated its obligation to ensure data security when processing personal data in accordance with Art. 32(1)a GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The company had contacted the LfDI on 8 September 2018 with a data breach report after it had discovered that personal data of approximately 330,000 users, including passwords and email addresses, had been stolen by a hacker attack in July 2018 and had been made public in early September 2018. The company informed its users immediately and comprehensively about the hacker attack in accordance with the GDPR. The company provided the LfDI with exemplary disclosure of data processing and corporate structures as well as its own failings. The LfDI thus became aware that the company had stored the passwords of its users in plain text, i.e. unencrypted and unaltered (unhashed). The company used these clear text passwords when using a so-called "password filter" to prevent the transmission of user passwords to unauthorised third parties with the aim of better protecting the users.

Dispute[edit | edit source]

Holding[edit | edit source]

By storing the passwords in plain text, the company knowingly violated its obligation to ensure data security when processing personal data in accordance with Art. 32(1)a GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

- copy -

Baden-Württemberg
THE NATIONAL COMMISSIONER FOR DATA PROTECTION AND FREEDOM OF INFORMATION
- Fine -

LfDI Baden-Württemberg P.O. Box 10 29 32 70025 Stuttgart


Name
[Censored] and [Censored]
Knuddels GmbH & Co. KG 
Kaiserstrasse 146 
76133 Karlsruhe

Date. November 21, 2018
Extension 0711/615541-0
File number O 1018/115 (please indicate when replying)

Fine proceedings against Knuddels GmbH & Co. KG for infringement of Article 32 (1) lit. a DSGVO [German Penal Code].
(Storage of unhashed passwords)
here: Fine notice
Enclosure: 1 transfer form, cash reference number 1885260000100

Dear Lord [Censored],
Dear Sir [Censored],

The State Commissioner for Data Protection and Freedom of Information (LfDI)
Baden-Württemberg - fine - orders Knuddels GmbH & Co. KG
the following notice of fines:

1. against Knuddels GmbH & Co. KG a fine in the amount of 20,000.00 euros is imposed.

2. in addition, Knuddels GmbH & Co. KG has also imposed a fine in the amount of 20000 Euro to be paid by Knuddels GmbH & Co.

Reasons:

1. facts of the case

The Knuddels GmbH & Co. KG (hereinafter Knuddels) operates as a company
since 2002 an internet platform, through which users can register under pseudonyms in so-called
exchange under pseudonyms in so-called chats. [Censored]

[Censored]

Censored] Knuddels had been aware since 2012 that unsecured storage of passwords was not (or no longer) state-of-the-art. At that time, Knuddels introduced hash-based security for the login data of its users.

Censored] In view of the coming into effect of the EU data protection basic regulation (DSGVO), Knuddels decided to maintain the file with passwords in plain text also after 25.05.2018 in order to also prevent a "fishing out" of the passwords of the users by third parties in the future.
With two attacks on 12.07.2018 and 14.07.2018, a previously unidentified perpetrator who had gained access to Knuddels' data captured a total of 1.8 million data records, including the file with the unencrypted passwords. Of the stolen data records, an initial 8,000 user data, including passwords and e-mail addresses, were published on the "Pastebin" platform in the period from 05.09.2018 to 07.09.2018. A further data set with 1.8 million user data, including pseudonyms, passwords and e-mail addresses, was published on the "mega.nz" platform in the same period.

After Knuddels became aware of the publication on the evening of 05.09.2018 and thus became aware of the previous successful hacker attack for the first time, Knuddels informed his users about the incident on Friday 07.09.2018 and asked them to change their password. On 08.09.2018 Knuddels also published the extent of the hacker attack in a press release and via various social networks and apologised to its users for the incident. On the same day, Knuddels reported a data breach to the responsible data protection supervisory authority and filed a criminal complaint with the Karlsruhe public prosecutor's office. On Monday, 10.09.2018, Knuddels also explained in a public forum on his homepage why passwords had been stored unhashed in the past and that this practice had ended on 07.09.2018. Internal checks by Knuddels revealed that the captured user data concerned a total of 330,000 people.

Since the publication of the hacked user data, Knuddels has spent approximately [censored] to continuously improve its IT security measures. Further [Zensiert] will be invested in the further expansion of the existing security infrastructure by the end of the year. No misuse of the stolen data records has yet been detected.

2. assessment of evidence

The facts of the case are established on the basis of the credible information provided by Knuddels and the results of the LfDI investigation. Full reference is made to the content of the fine file.

3. legal assessment

By storing unencrypted passwords [Censored] against their obligation to ensure data security when processing personal data in accordance with Article 32 paragraph 1 letter a DSGVO. 

The unsecured passwords are personal data, since these passwords, the associated user names and e-mail addresses, which were also stored and hacked, made it possible to determine the respective persons at least indirectly. However, it is not necessary to know the actual names of the users concerned (see for indirect determinability: BeckOK Datenschutzrecht Wolff/Brink, DSGVO Article 4 marginal no. 17). Contrary to its obligation as the responsible body, Knuddels did not secure this data by means of suitable technical and organisational measures in accordance with Article 32 DSGVO to prevent access by unauthorised persons. As Knuddels was aware, it has been state of the art for many years to store users' passwords only in encrypted or hashed form. For this reason, Knuddels changed its chat logins to hashed passwords as early as 2012. [Censored]

This infringement is not attributable to Knuddels GmbH & Co. KG is also responsible for this violation. This is because the creation and continuation of the file with unsecured passwords was carried out at the instigation, but in any case with the knowledge and express approval of the two managing directors RE and el. KG in at least an indirect manner, so that the breach of duty was, irrespective of the question of any functional responsibility of the company, in any case in accordance with $ 30 para. 1 No. 1 OWiG of Knuddels GmbH & Co. KG is attributable to Knuddels GmbH & Co.
4. assessment of the fine

The framework for fines can be found in Art. 83 (4) DSGVO, which provides for a fine of up to 10 million euros or 2% of the turnover of the previous fiscal year.

In assessing the fine in concrete terms, the following circumstances were in Knuddels' favour: The transfer of user data to an unauthorized third party was not at Knuddels' instigation but by an external hacker attack. As a result of this illegal intrusion and theft of data by unknown third parties, Knuddels itself suffered not inconsiderable damage to its assets and reputation. After the hacker attack became known, Knuddels made every effort to ensure the quickest possible and most comprehensive transparency both towards its users and towards the supervisory authority. In this way, Knuddels made a very significant contribution to fully clarifying the facts of the case and achieving substantial progress in user data security. Moreover, the fact that Knuddels did not derive any economic benefit from the violation or intended to do so had to be taken into account as a mitigating factor when calculating the fine. In addition, Knuddels invested an amount of [censored] in IT security measures within a few weeks of the incident, without having been expressly requested to do so by the supervisory authority, so that the security architecture now corresponds to the current state of the art. Knuddels will invest a further [censored] amount in additional IT security measures until the end of the year in order to further improve the security standard achieved. In addition, Knuddels has declared its willingness to swiftly implement all the requirements of the supervisory authority (insofar as they have not already been implemented), which will also result in further additional costs. The very good cooperation with the supervisory authority and the transparent disclosure of the company's own considerations, structures and omissions were seen as particularly positive. In addition, in Knuddels' favour, it was evident that her data processing had not been subject to any objections in the past. To the detriment of Knuddels, however, it was clear that personal data was affected to a not inconsiderable extent and that Knuddels had knowingly stored the passwords in question in plain text. [Censored]

After weighing up all the assessment criteria for and against Knuddels, a fine at the lower end of the scale of fines seemed appropriate, particularly in view of the very positive behaviour since the infringement became known and the damage sustained by Knuddels.

Taking into account all relevant circumstances, a fine was imposed on Knuddels GmbH & Co. KG a fine of EUR 20,000.00 was therefore to be set as effective, deterrent and proportionate within the meaning of Art. 83 para. 1 and 2 DSGVO. [Censored]
5. fees and expenses

In addition to the fine imposed, Knuddels must also bear the costs of the proceedings (§§ 105, 107 OWiG 1.V.m. with § 464 (1), § 465 StPO). The procedural fee is 5% of the fine, but at least 25 euros and at most 7,500 euros (§ 107 (1) sentence 3 OWiG).

Against Knuddels GmbH & Co. KG, a fee of Euro 1,000 was therefore to be set.

No expenses were incurred.

Information on legal remedies:

This fine becomes legally binding and enforceable if you do not lodge an appeal within 2 weeks of receiving it. The objection must be submitted in writing or for recording to the State Commissioner for Data Protection and Freedom of Information (LfDI) Baden-Württemberg, Bußeldstelle, Königstraße 10a, 70173 Stuttgart. The deadline is only met if the objection is received by the State Commissioner for Data Protection and Freedom of Information in Stuttgart before the deadline expires. If we uphold the fine after the objection has been lodged, the Stuttgart District Court will decide on your objection.

Request for payment:

You are requested to transfer the total amount of EUR 21,000.00 to the account of the Landesoberkasse Baden-Württemberg at BW-Bank, BIC: SOLADEST600, under IBAN DEO2 6005 0101 7495 5301 02 Please make sure to use the above mentioned cash reference number (1885260000100) as reason for payment, otherwise your payment cannot be assigned.

In the event of insolvency, the State Commissioner for Data Protection and Freedom of Information (LfDI) must be informed in good time before the expiry of the (respective) payment deadline, giving detailed reasons why the timely payment is not reasonable under the economic circumstances. Suitable evidence (e.g. balance sheets) must be enclosed.

If neither the payment deadlines are met nor the inability to pay is demonstrated in time, the amount due will be forcibly recovered. The local court can also order the collection of the fine by way of compulsory detention.

With kind regards

On behalf of

signed

Issued: Stuttgart, the 21.11.2018