$10m GDPR Fine; Why we Need GDPR in Bug Bounties

Today media outlet HEISE reported that 1&1 Web Hosting in Germany was hit with 9.8 million euros in fines over GDPR violations.

The phone authentication mechanism for customers to change account information only required name and birthdate. This is a clear violation to GDPR and the Federal Data Protection Commissioner showed these laws are not being taken lightly.

The Federal Data Protection Authority found a violation of Article 32 of the GDPR , this states companies must take correct technical and organizational steps to systematically protect the processing of personal data. 1&1 failed to do so resulting in this massive fine.

The FDPA also stated they will be investigating the phone authentication of all major web service and telecom providers operating in Germany.

This is surprisingly not the largest fine as that award goes to German Realestate company Deutsche Wohnen for 14.5 million euros. The FDPA are said to be leveraging such large fines in order to push these companies to much faster action.

1&1 has filed a lawsuit against the DPA claiming the amount was “absolutely disproportionate“.

Montabaur, 09 December 2019. The 1 & 1 Telecom GmbH will not accept the fines decision issued against it by the Federal Commissioner for Data Protection and Freedom of Information (Federal Data Protection Commissioner) and sue. The Federal Data Protection Commissioner has imposed a fine of 9.55 million euros for an individual case. The authority accuses 1 & 1 of having failed to comply with technical and organizational measures to protect personal data through non-compliant telephone authentication.

This procedure was not about the general protection of data stored in 1 & 1, but about how customers can access their contract information. The case in question already occurred in 2018. Specifically, it was about the telephone query of the mobile number of a former partner. The responsible employee fulfilled all the requirements of the then valid 1 & 1 security guidelines. At that time, two-factor authentication was common and there was no single market standard for higher security requirements

Should Bug Bounty Programs include GDPR Violations?

Bug Bounty programs such as Hacker One and Bug Crowd allow hackers to test companies infrastructure legally to find and exploit security vulnerabilities.

These recent fines bring into question should hackers and social engineers be allowed to test these companies for GDPR violations? We think yes.

The average bug bounty once triaged pays out anywhere from 50 dollars on average to 20,000 dollars on the high end. Sometimes more for full chain remote execution attacks products from Google and Apple.

Even on the high end this seems like the obvious choice to include GDPR violations in-scope of a bug bounty program.

With the average GDPR fine reaching into the millions a few thousand dollars is a drop in the bucket.

Feel free to comment and let us know what you think.