The French knowledge safety watchdog on Tuesday fined electrical energy supplier Électricité de France €600,000 for violating the European Union Normal Information Safety Regulation (GDPR) necessities.
The Fee nationale de l’informatique et des libertés (CNIL) stated the electrical utility breached European regulation by storing the passwords for over 25,800 accounts by hashing them utilizing the MD5 algorithm as lately as July 2022.
It is price noting that MD5, a message digest algorithm, is taken into account cryptographically damaged as of December 2008 owing to the danger of collision assaults.
Moreover, the authority famous that the passwords related to 2,414,254 buyer accounts had solely been hashed and never salted, exposing the account holders to potential cyber threats.
The probe additionally pointed fingers at EDF for failing to adjust to GDPR knowledge retention insurance policies and for offering “inaccurate data on the origin of the information collected.”
“The quantity of the tremendous was determined contemplating the breaches noticed and the cooperation by the corporate and all of the measures it has taken through the proceedings to succeed in compliance with all alleged breaches,” the CNIL stated.
The fines arrived lower than two weeks after CNIL fined Discord €800,000 for its failure to respect knowledge retention durations for inactive accounts and implement a robust password coverage.
