French Electricity Provider Fined for Storing Users’ Passwords with Weak MD5 Algorithm
The French data protection watchdog on Tuesday fined electricity provider Électricité de France €600,000 for violating the European Union General Data Protection Regulation (GDPR) requirements.
The Commission nationale de l’informatique et des libertés (CNIL) said the electric utility breached European regulation by storing the passwords for over 25,800 accounts by hashing them using the MD5 algorithm as recently as July 2022.
It’s worth noting that MD5, a message digest algorithm, is considered cryptographically broken as of December 2008 owing to the risk of collision attacks.
Furthermore, the authority noted that the passwords associated with 2,414,254 customer accounts had only been hashed and not salted, exposing the account holders to potential cyber threats.
The probe also pointed fingers at EDF for failing to comply with GDPR data retention policies and for providing “inaccurate information on the origin of the data collected.”
“The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches,” the CNIL said.
The fines arrive less than two weeks after CNIL fined Discord €800,000 for its failure to respect data retention periods for inactive accounts and enforce a strong password policy.