Knuddels, a German chat app, has been fined €20,000 (£17,700) for breaching more than 300,000 login credentials.
It’s the first fine for a violation of the EU GDPR (General Data Protection Regulation) issued by the LfDI (Baden-Wüttemberg data protection authority). Some have criticised the apparent leniency of the fine, citing the organisation’s clear violations of the Regulation’s requirements concerning encryption. Knuddels stored users’ data in plain text, giving crooks free access to the information once they discovered it.
However, the app provider benefitted from its prompt response to the incident, which the LfDI took into account when determining the punishment.
In a statement announcing the fine, the LfDI praised Knuddels’ decisiveness in contacting the supervisory authority and affected customers, as well as its willingness to address security failings.
“The very good cooperation with the LfDI spoke in particular to the benefit of the company. The transparency of the company was just as exemplary as the readiness, the guidelines and recommendations of the State Commissioner for Data Protection and Freedom of Information. In this way, the security of the user data of the social media service could be significantly improved in a very short time,” the LfDI wrote.
It added: “The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users’ data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI.”
Laying down the law
There had been speculation that supervisory authorities would issue heavy fines upon the GDPR’s introduction to lay down the law. However, the LfDI’s State Commissioner for Data Protection and Freedom of Information, Stefan Brink, said that the authority “is not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.”
This shouldn’t be a surprise, as data protection authorities have repeatedly said that fines will be a last resort. Issuing financial penalties to an organisation that’s willing to make the necessary corrective actions is counter-productive, as it would mean there would be fewer resources to make those changes.
But it’s not as though Knuddels got away scot-free. The end result was still a fairly significant fine, even if it isn’t close to the GDPR’s maximum penalty of €20 million (£17.7 million) or 4% of an organisation’s annual global turnover. The money involved should be enough to make organisations take note of the GDPR and realise that violations will be punished.
Suffered a data breach?
If you’re worried about how you’ll respond to a data security incident, you should take a look at our GDPR Breach Support Service. Our experts help you to quickly and effectively navigate the GDPR’s data breach response requirements, ensuring that you meet the 72-hour notification deadline in a structured and compliant manner.