Knuddels GmbH & Co. KG – €20,000 Fine (Germany, 2018)

€20,000DPA LfDI21 November 2018Germany
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Knuddels was fined €20,000 for storing user passwords in plain text, which led to a data breach affecting 330,000 users. The company quickly reported the breach and cooperated with authorities, but the fine underscores the importance of encrypting sensitive data.

What happened

Knuddels stored user passwords in plain text, leading to a data breach affecting 330,000 users.

Who was affected

Users of Knuddels whose passwords and email addresses were exposed in the breach.

What the authority found

The authority fined Knuddels for failing to encrypt user passwords, violating GDPR's data security requirements.

Why this matters

This fine highlights the critical need for companies to encrypt sensitive data like passwords to comply with GDPR and protect user information from breaches.

GDPR Articles Cited

Art. 32(1)(a) GDPR
Art. 83(1) GDPR
Art. 83(2) GDPR

National Law Articles

§ 105 OWiG
§ 107 OWiG
§ 464(1) StPO
§ 465 StPO
§ 107(1) Thrid Sentence
Germany enforcementDPA LfDI actionsAll Knuddels GmbH & Co. KG actions
Full Legal Summary
Detailed

The company had contacted the LfDI on 8 September 2018 with a data breach report after it had discovered that personal data of approximately 330,000 users, including passwords and email addresses, had been stolen by a hacker attack in July 2018 and had been made public in early September 2018. The company informed its users immediately and comprehensively about the hacker attack in accordance with the GDPR. The company provided the LfDI with exemplary disclosure of data processing and corporate structures as well as its own failings. The LfDI thus became aware that the company had stored the passwords of its users in plain text, i.e. unencrypted and unaltered (unhashed). The company used these clear text passwords when using a so-called "password filter" to prevent the transmission of user passwords to unauthorised third parties with the aim of better protecting the users. By storing the passwords in plain text, the company knowingly violated its obligation to ensure data security when processing personal data in accordance with Art. 32(1)a GDPR.

Related Enforcement Actions (0)

No other enforcement actions found for Knuddels GmbH & Co. KG in DE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

21 November 2018

Authority

DPA LfDI

Fine Amount

€20,000

GDPRhub ID

gdprhub-2527

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Knuddels GmbH & Co. KG - Germany (2018). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: