Since May 25, 2018, companies who experience a significant data breach won’t just be dealing with a public relations nightmare and financial strain brought on by the breach, but will also face large fines as mandated by the GDPR.
And these fines may be substantial. There are two tiers of fines: Up to 10 million pounds or 2% of annual global turnover (revenue) of the previous year, whichever is higher and up to 20 million pounds or 4% of annual global turnover, whichever is greater.
But what has actually happened so far?
Well the first German fine for a GDPR breach has taught us a great deal:
A popular social chat service, Knuddels, had 808,000 email addresses and over 1.8 million usernames and passwords exposed after an attack this July. The attackers went on to publish the information online at Pastebin and the Mega cloud storage service in cleartext form. An investigation by regulators showed that the website stored its data in plain text with no safeguards.
“In 2012, the storage of passwords was introduced as a hash,” the company said on its message boards (Google translation). “The non-hashed version of the passwords, however, was also preserved.”
The company quickly deleted the un-hashed version of the passwords, adding, “We are sorry that we did not take this step earlier.”
Knuddels learned of the attack in September, informed its users and temporarily deactivated all accounts. They also notified LfDI Baden-Württemberg in accordance with the GDPR and are implementing additional security measures.
Knuddels received a €20,000 fine - on a hack that affected more than 1.8 million accounts. At first glance this doesn’t seem to match the severe penalties threatened by the GDPR regulations?
However, this information from the German LfDI Baden-Württemberg, clarifies much of the vague wording of the GDPR policy “Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack,” The LfDI said in a notice. “As a fine, the LfDI is not interested in entering into a competition for the highest possible fines. The bottom line is improving privacy and data security for the users.”
At the same time, the fact that only 1 of the 99 Articles of the GDPR was breached, (Security of Data Processing - Article 32), reminds us that the GDPR certainly “means business”.
In other words, a company may perfectly comply with the other 98 Articles of the GDPR, but if they don’t implement appropriate security measures, they will still be fined.
This fine should serve as a reminder to companies large and small that part of their compliance obligation under GDPR to implement appropriate technical and organisational measures is to ensure a level of cyber security appropriate to the risk.