I Love It
Enforcement of laws against stupidity. Yeah, if you've got people's data and you don't even use minimally reasonable security practices, smack up side the head. 'Nuff said.
German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018). The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at …
As well as acknowledging Knuddels' cooperation, the authority's State Commissioner for Data Protection and Freedom of Information, Stefan Brink, said it was avoiding the temptation to enter a "competition for the highest possible fines".
The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted. ®
Shame, a colossal fine that threatens a company's existence is exactly the thing that would make organisations take security seriously.
@Korev - I think the fine is reasonable as Knuddels apparently copped a mea culpa and fixed the problem (the real intent here). The idea of having a massive fine available is for the Zuckerbergs of the world who did not make dumb mistake but don't care about protecting user data. For the dumb mistakes that are fixed, a mild fine for being stupid. For the Zuckerbergs, bankrupt the bastards.
Sorry I can only give you one upvote, my impression is that as an early offer action and fully explaining what was done it struck the right note. I suspect that the scale of response might tend to increase as the system beds in, though always with the perpetrator's intent in mind. The Zuckerbergs of this world have a mind set only on maximum return for them and to hell with everything and everyone who might threaten that result.
But storing passwords in plain text is more than just a dumb mistake! If the monkey they trusted with thr development of the user registration can't even get their head around the need for it, they deserve to have their heads on pikes at the front gate.
If someone had decided to roll their own crappy crypto, that would at least be understandable.
...they deserve to have their heads on pikes at the front gate.
At some point, the enforcers of GDPR should do this as an example to others. At this point, heavy fines are just a threat. The law might have teeth but the implantation doesn't so where's the motivation for companies to comply? Or two heads on pikes would go a long way to getting others into compliance.
That's the thing...
There's a largish shop in my village growing up, selling model railway stuff. It seemed quite specialist and out of place for a small village, but it turned out they had a strong national reputation and mail-order presence.
Now, I've no idea of their current business, or technical skills or website presence, so this is not related to them specifically, but imagine a fiicticious family company like that.
Presumably they'd by now have got a web presence, where most of their sales would be made. They need a website. They are a single store, family shop, but require a relatively decent online shop - the vast majority of orders would presumably come that way.
Now, they know nothing about the internet, but do know enough about the business to know that they need something more professional than grand-son Johnny to code it, so they search for a company to do the job, and then... the same thing as in this article happens to them.
Should they have known to use a third party transaction site? Should they have known to audit password storage methods?
They hired specialists. As John says, specialists all the way down?
By the way, I'm not writing this as a "gotcha". Presumably they have some sort of protection, but if a dodgy builder caused my house to fall down, presumably he'd be in some guild of builders than underwrite insurance on jobs?
In this case? I dunno. I'm curious, but stupid.
[ EDIT: I just googled the company I originally mentioned. They're still going, over 30 years later, but no ordering website, just some crappy front page template looking from the early 90's... There's more info on them via google maps than via their own website.. wow! ]
You still need to have a stack of paperwork that is signed off by the company's DP officer. (Who in this case, or so the rumour goes, only found out aboút the passwords when the excrement-propeller distance was already critical.)
Basically, GDPR extends the usual Weinberg's Second Law from engineering to about as big an effort on top in paperwork.
"If someone had decided to roll their own crappy crypto, that would at least be understandable."
What level of encryption and/or obfuscation is acceptable as a minimum?
Are there hard and fast rules regarding this or just recommendations?
Could the developer get away with just base 64 encoding users details?
While base64 is an encoding and not crypto, I get your point. The rule of thumb I was taught is to stop when the cost of developing the crypto exceeds the value of the data. So as they were fined €20k, that would give them 2-4 developer months of time (less if they were HPCs). If it takes someone that long to type h=crypto.md5(password) then they are a VHPC.
"I think the fine is reasonable as Knuddels apparently copped a mea culpa and fixed the problem"
Those are factors to take into account. But at some point the message needs to get across that you can't just wander into setting up a site with no knowledge that you need to secure it, or maybe no knowledge of whether the people you entrusted to do that actually did so. If people can get away with saying sorry and fixing it after the event they will, and that doesn't undo the damage that might have been caused. From this event it's probably 800k people who need to change their email addresses with all the inconvenience that causes to get off spam lists and maybe a few of those will lose money getting scammed along the way. Repeat for every business that hasn't got the message yet.
Contrary to popular belief, Europe could actually learn an important bit in the mosaic called "success" from Germany. My several years long experience with scores of Beamte (German public servant) is that they are given quite a wiggle room by the law and they tend to use it with consideration of all parties involved. Single mother failed to file a tax report appendix gets a different treatment than a used car dealership making the same mistake third time in a row. It is my unsubstantiated feeling that the loose law is not abused to a greater degree than a seemingly strict one in other countries. Matters of public interest, like this one, are accompanied by a sentence or two of explanation, again, usually to the point and without much political newspeak. I like to call it a governance soft skill, and to a great regret of the almost dead citizen in me it is not given the sort of attention it ought to earn in other countries proclaiming the intent to get as rich and effective in governing as Germany.
HSBC at least I'm certain is storing my password in plain text.
How do I know? Each time I log in they choose a random subset of characters from my password which they want me to enter. I'm not clear on what the point of this process is (making password managers harder to use would be my guess, because their IT security staff apparently live in backwards-land) but unless they've stored a hashes for every possible combination of 4-character subsamples of my password (which wouldn't be a whole lot better, mathematically) then they're storing it plain-text.
the password is probably never stored (hashed or unhashed) as a complete string
with a couple of the UK banks login is as follows...
Step 1 : enter customer id - date of birth followed by a 4 digit number (the 4 digit part is sequential based on account creation and the date of birth, I know this because I have a couple of business accounts with sequential id numbers)
Step 2 : enter 3 randomly chosen characters from a chosen pin No (not the card pin) - standard form fields not drop down
Step 3 : enter 3 randomly chosen characters from your password - again standard form field not drop down
I remember trying to log into a site (a primary school magazine/blog thing) clicking the "I forgot my password" and receiving an email telling me my password as plaintext.
I use throwaway passwords for trivial sites so the damage wasn't big but I could well imagine that there are many sites like this and many users who use the same password across multiple sites.