GDPR fine for running a website with outdated software

By: MRT Desk

Published on:

GDPR fine for running a website with outdated software

In the context of the GDPR, technical aspects play a decisive role in the question of adequate protection of the personal data held. In particular, the state of the art for determining appropriate technical and organizational measures must be taken into account.

A violation of these technical specifications has now been fatal for a company from Lower Saxony. This had to at the will of the state’s data protection officer a fine of 65,500 euros for violating the regulations of Art. 25 and Art. 32 of the GDPR. This follows from the recently published activity report of the authority for the year 2020 (S. 97).

The reason for the proceedings was a report by the company to the authorities regarding a data protection incident. This report was taken as an opportunity to check its website from a technical point of view. It turned out that the web shop application xt: Commerce in version 3.0.4 SP2.1 was used on the site. However, this version has been out of date since 2014 at the latest and is no longer provided with security updates by the manufacturer. On the contrary, the manufacturer explicitly warned against continuing to use version 3 of its software. The background to the warning were significant security vulnerabilities that, among other things, made SQL injection attacks possible.

The investigations by the authority from Lower Saxony also showed that the passwords stored in the database were “secured with the cryptographic hash function MD5”. However, this is not designed for use for passwords, so that a calculation of the plain text passwords would have been possible. In addition, “no salt was used”, which made the systematic calculation much more difficult. To protect passwords, the activity report refers to the technical guideline “Cryptographic Procedures: Recommendations and Key Lengths” BSI TR-02102-1 of the BSI referenced.

Due to the inadequate security precautions, in the present case it was possible to determine the plaintext passwords and then try out further attack vectors with manageable effort. The implementation of a salt function and an up-to-date hash algorithm designed for passwords was possible for the company at a relatively high cost, especially if this functionality is implemented with newer versions of the software. This also applies to the removal of known security holes for which updates are available.

When evaluating the incident, the authority came to the conclusion that the technical measures taken by the controller did not meet the protection requirements of the GDPR, so that there was a violation of Article 32 GDPR. A fine of 65,500 euros was then imposed, which the company accepted. In favor of the company, it was taken into account that it had already informed the persons concerned that a change of password was necessary before the fine proceedings.


(emw)

Article Source