Fine due to outdated software when operating a web store

A company from Lower Saxony was recently fined €65,500 for operating a web store with outdated software. The security vulnerabilities caused by the old software version made it possible to calculate user passwords with little effort.

The accusation

The responsible supervisory authority took a notification from the company to the authority regarding a data protection incident as an opportunity to review the company's web store.

Results of the investigation

It turned out that the website used the xt:Commerce web store application version 3.0.4 SP2.1. This has been outdated since at least 2004 and accordingly no security updates are provided anymore. The manufacturer even warned against using this version due to significant security vulnerabilities, including the possibility of SQL injection attacks.

Although the passwords stored in the database were secured with the cryptographic hash function "MD5", this cryptographic procedure was no longer state of the art and thus no longer designed for use with passwords. Breaking the old procedure for encrypting passwords was therefore possible.

In addition, no "salt" was used, which would have made the systematic calculation much more difficult by lengthening the password.

SQL injection attacks

With the help of such, attackers can gain access to credentials of all persons registered in the application and other data in the database. Security vulnerabilities of this type occur when not all end-user modifiable input is masked so that it is not understood as a command by the database. If this masking is missing, each command is executed by the database as a command with its own rights. Consequences are that the whole database table can be output, deleted or modified.

The fine

The supervisory authority considered the technical measures used by the controller to be inadequate within the meaning of Art. 25 GDPR and thus found a violation of Art. 32 I GDPR.

When calculating the fine, mitigating consideration was given to the fact that the company informed the persons concerned in good time and recommended that they set a new password.

The company accepted the fine of €65,500.

Recommendation

Often, the use of up-to-date and patched software is sufficient to avoid security gaps and to operate web applications in compliance with data protection regulations. The use of current cryptographic processes is essential and requires only a small amount of effort. Existing security gaps are eliminated in an uncomplicated and timely manner by updates from the manufacturer.

In addition to updates, we regularly perform vulnerability assessments on all our clients, both externally and internally, in order to find even the last technical security gaps and vulnerabilities in the client's IT systems.

Current recommendations for implementing password security can be found on the website of the German Federal Office for Information Security (BSI) and in the corresponding technical guideline "Kryptographische Verfahren: Recommendations and Key Lengths" (BSI TR-02102-1).

In individual cases, professional advice on the most suitable solution is always recommended.