Knuddels Flirt App becomes first Germany firm to be fined under GDPR

• Knuddels has been fined for a breach that resulted in the exposure of around 808,000 email addresses and over 1.8 million usernames and passwords.
• Knuddels suffered the attack in July after a hacker published the data online on Pastebin and the Mega cloud storage service in cleartext form.

Germany’s Data Protection Authority slapped Knuddels with a fine over a data breach that exposed millions of records. The popular regional dating, flirting and chat service was fined around $22,667. This marks the first time that Germany has imposed a penalty on a company after the launch of the General Data Protection Regulation (GDPR).

The online dating firm has been fined for a breach that resulted in the exposure of around 808,000 email addresses and over 1.8 million usernames and passwords.

GDPR aims at strengthening the data rights of residents of European countries and came into force on May 25, 2018. It primarily focuses on taking action against organizations that are involved in the misuse of data. In essence, GDPR seeks to bring more transparency to people by informing them about the kind of data that is collected by companies and how it is used by them.

Depending on the amount of data breached, a firm can be fined up to 20 million euros or 4 percent of the annual revenue of the firm’s previous fiscal year, under GDPR.

About the hack

Knuddels suffered a breach in July after a hacker published the information online on Pastebin and the Mega cloud storage service in cleartext form. The firm confirmed to the regulators that the website stored its data in plaintext format.

“In 2012, the storage of passwords was introduced as a hash. The non-hashed version of the passwords, however, was also preserved.” the company said on its message board.

Knuddels learned about the attack in September and since then, has implemented appropriate security measures to prevent such attacks in the future. The firm also removed the unhashed-version of the passwords and has notified law enforcement authority about the breach.

“We are sorry that we did not take this step earlier. Knuddels is safer than ever,” Holger Kujath, the managing director of Knuddels, told Spielgel Online.

“The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users' data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI” said Baden-Württemberg Data Protection and Freedom of Information (LfDI) in a press release.

Stefan Brink, the state commissioner of LfDI highlighted the importance of the protection of data saying, “As a fine, the LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users. "