Passwords are the biggest threat to GDPR compliance

With the General Data Protection Regulation (GDPR) in full effect, data protection authorities have imposed their first fine in Germany. In late 2018, local chat platform knuddles.de was fined €20,000 for storing passwords without encrypting them. As a result, hackers were able to extract and expose 330,000 credentials. The more recent Collections #1-5 leak, dubbed as the biggest data dump in history, includes more than 2.4 billion unique usernames, and associated passwords. The GDPR consequences of the breach remain to be seen.

The Collections leak comes just after the shocking news of a 20-year old hacker leaking the personal information of 1,000 high-profile individuals in Germany. The politicians, celebrities, and journalists had their personal information hacked due to bad passwords. While the young man was acting alone, the relative ease of exposing high-profile targets is shaking the world of cyber security in Germany.

There is no excuse for a company that overlooks the threat of a breach. These incidents should remind everyone that if you don’t take cyber security seriously, you will pay a data security cost. Continue reading to learn more on how you can protect your personal information. If you are a company processing user data, you can get some practical tips on how security design can help you avoid the most common password vulnerabilities.

How to protect your data

The Collections leak made headlines when cyber security expert, Troy Hunt added the leaked account and password information (from Collection #1) to Have I Been Pwned. This free service makes it possible for people to safely check to see if their account information or password has been compromised.

You can check to see if your email address is included in the Have I Been Pwned list. Now, just because your email might have found its way into one of these database leaks, does not necessarily mean you need to panic. In order to truly gain access to your private information, the hackers will also need your password. You should be concerned if you rely on weak passwords for any of the accounts where your exposed email is used as login credentials. If both your email(s) and password(s) are leaked, it makes it really easy for a hacker to run your credentials against other logins to access even more data.  Turning on two-factor authentication is a good way to protect your accounts, especially those that contain your banking or private information.

How organizations can protect their data

Specops Breached Password Protection is a hosted service with a continuously updated list of previously leaked passwords. The service works together with Specops Password Policy so that companies can block passwords found on the password deny list. The service blocks people from choosing banned passwords and informs them as to why they cannot use the password.

Specops Breached Password Protection currently contains over 4 billion vulnerable passwords, making it a comprehensive service for any organization that wants to eliminate weak passwords, or meet compliance requirements regarding password security.

(Last updated on October 8, 2024)

Back to Blog

Related Articles

  • GDPR compliance and access control – what you should already be doing

    With less than a year until the EU General Data Protection Regulation (GDPR) takes effect, all organizations collecting or processing data for individuals within the EU are in the midst of developing their compliance strategy. The new regulation will carry an impact well beyond Europe. A recent PwC pulse survey found that over half of…

    Read More
  • Specops uReset and GDPR compliance

    With the introduction of Specops uReset (version 8.1 or later) in the Microsoft EU data center, organizations can now choose which instance of Specops uReset they want to use. Specops uReset is a hybrid password reset solution. The cloud components of Specops uReset can be accessed in data centers in either the EU or the…

    Read More
  • What breach disclosure requirements mean for your organization

    Following a data breach incident, organizations following compliance standards, such as HIPAA, need to follow certain data breach notification requirements. This post will summarize some of these requirements, as well as regional-specific disclosure responsibilities. For the purposes of this post, a data breach, is an incident “where personal data has been subject to unauthorised access,…

    Read More