TechLetters #107 - Probabilistic user tracking/ad matching abused. #GDPR boosting security by design of password. Remote code execution in bluetooth and ping. Cyberattacks and missile strikes.
TechLetters #107 - Probabilistic user tracking/ad matching abused. #GDPR boosting security by design of password. Remote code execution in bluetooth and ping. Cyberattacks and missile strikes.
techletters.substack.com
Security GDPR fine for bad password practices. French data protection authority fines Electricite de France, France's largest electricity provider with €600,000. Hashed passwords without a 128-bit random "salt" and the use of MD5 identified as a violation of GDPR article 32, which concerns security of data processing. It’s of course only partial reason behind such as fine. But it is nonetheless an interesting precedent explaining what are the legal password security requirements in 2022. Some may wonder: is the use of MD5 or unsalted hashes at other companies an infringement? Yes, it is. The tricky part: should such practices now be reported “within 72 hours” of identifying such a data protection breach? And additionally: if this was used between 2018 (GDPR enters into force) and, say, 2021, is the period still a territory for a GDPR-fine? Good luck in deciphering it! Who knows, perhaps it’s worth a €20.000.000?
TechLetters #107 - Probabilistic user tracking/ad matching abused. #GDPR boosting security by design of password. Remote code execution in bluetooth and ping. Cyberattacks and missile strikes.
TechLetters #107 - Probabilistic user…
TechLetters #107 - Probabilistic user tracking/ad matching abused. #GDPR boosting security by design of password. Remote code execution in bluetooth and ping. Cyberattacks and missile strikes.
Security GDPR fine for bad password practices. French data protection authority fines Electricite de France, France's largest electricity provider with €600,000. Hashed passwords without a 128-bit random "salt" and the use of MD5 identified as a violation of GDPR article 32, which concerns security of data processing. It’s of course only partial reason behind such as fine. But it is nonetheless an interesting precedent explaining what are the legal password security requirements in 2022. Some may wonder: is the use of MD5 or unsalted hashes at other companies an infringement? Yes, it is. The tricky part: should such practices now be reported “within 72 hours” of identifying such a data protection breach? And additionally: if this was used between 2018 (GDPR enters into force) and, say, 2021, is the period still a territory for a GDPR-fine? Good luck in deciphering it! Who knows, perhaps it’s worth a €20.000.000?