A German privacy regulator has issued its first GDPR fine after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app.
The Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the firm having stored user passwords and emails in plain text.
As a result, hackers were able to make off with 330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega.
The breach itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million passwords stolen, although only 330,000 have been confirmed.
Although the lack of encryption breaks a core requirement of the GDPR, the German chat app provider seems to have benefited from responding with speed and transparency.
“The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users' data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI,” the regional regulator said in a statement.
“The very good cooperation with the LfDI spoke in particular to the benefit of the company. The transparency of the company was just as exemplary as the readiness, the guidelines and recommendations of the State Commissioner for Data Protection and Freedom of Information. In this way, the security of the user data of the social media service could be significantly improved in a very short time.”
The action taken in this case will reassure some Data Protection Officers (DPOs) waiting to see how regulators enforce the GDPR that the emphasis is on education rather than making an example of organizations.
UK watchdog the Information Commissioner’s Office (ICO) has said as much in the past.
"Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack," said Stefan Brink, state data protection commissioner for Baden-Württemberg. "The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users."