Don’t store users’ passwords in cleartext. Really.

It’s not a good idea. Also, it may be deemed a ‘knowing violation’ of the EU General Data Protection Regulation (GDPR) requirement to adequately protect personal data.

That is one key takeaway from the GDPR enforcement action by the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg, Germany (LfDI), against social media company knuddels.de, after a data breach that impacted 800,000 knuddels.de users.

Other takeaways from the enforcement action include:

  • contact your data protection authority (DPA) directly and quickly after a breach
  • inform users immediately and comprehensively about the breach
  • cooperate with your DPA
  • improve your IT security after a breach, even if this requires a significant monetary investment (6 digits’ worth in this case).

Due to the above, the company received a relatively low fine of €20,000.

“As a DPA it is not important for the LfDI to compete for the highest possible fines. What counts in the end is the improvement of data protection and data security for the users concerned.” – says the head of the LfDI, Stefan Brink.

The IAPP has more on the decision.