GDPR: Outdated software leads to high fine for website

Because a company from Lower Saxony operated its website with outdated software, it is now facing a large fine. The reason for the fine of a whopping 65,500 euros was inadequate protection of user passwords.

Clear violation of the GDPR

With the entry into force of the General Data Protection Regulation (GDPR) a few years ago, many website operators were shaking at the knees. After all, strict regulations for websites have been laid down within the Europe-wide regulations. Technical details also play an important role, as a case from Lower Saxony now makes clear. Since outdated software usually also entails weaker protection of personal user data, this can already be a decisive violation of the GDPR. The consequences of such a violation are now being experienced by the company from Lower Saxony. In the course of the violation, the data protection authority of Lower Saxony is now demanding a hefty fine of 65,500 euros. In doing so, the data protection experts are relying on Articles 25 and 32 of the GDPR.

Fine preceded by warning

However, the fine did not come quite as surprisingly as it may seem to the report for the small company. For example, the company concerned forwarded an incident with data protection relevance to the Lower Saxony data protection authority in advance. In the course of this, the authority naturally had a review of the technical design of the website carried out. During this review, the public authority had to find out that the company was using a web store application that had already been considered outdated for more than seven years. Important security updates on the part of the developer no longer exist for this version. The developer even went so far as to emphasize that the outdated version should no longer be used. Gigantic security holes for webshops would otherwise be the consequence.

Despite this warning, the company exposed itself to great risk and opened the door to so-called SQL injection attacks. However, the use of the outdated version was not the only major problem, according to the data protection authority. On top of that, the company did not secure the user passwords adequately. For example, they used a cryptographic hash function (MD5), which is explicitly not suitable for use with passwords in plain text. Last but not least, the authority could not detect any salt in terms of password security. This is now a mandatory requirement for cryptographic processes.

Fine was reduced

Although the amount of the threatened fine may sound high, the company still seems to have gotten off lightly. The reason for this is that the Lower Saxony website operator informed the people who were affected by the low password security even before the proceedings began. As a result, they were able to contain the risks by simply changing their passwords. Accordingly, the authority reduced the fine to “only” 65,500 euros.

If this is already the lower penalty amount, we don’t want to know what the company would have faced in a normal case. Nevertheless, the fine is more than annoying when you consider how easy it would have been for the company to bring its security measures up to date. In this case, it becomes clear how important it is to always keep one’s website up-to-date. Online stores, which store sensitive data, are particularly targeted by data protection authorities. In view of the risks for the users concerned, this control is also right and important.