French Electricity Provider Fined for Storing Users’ Passwords with Weak MD5 Algorithm

By: Ravie Lakshmanan
The French data protection watchdog on Tuesday fined electricity provider Électricité de France €600,000 for violating the European Union General Data Protection Regulation (GDPR) requirements.
The Commission nationale de l’informatique et des libertés (CNIL) said the electric utility breached European regulation by storing the passwords for over 25,800 accounts by hashing them using the MD5 algorithm as recently as July 2022.
It’s worth noting that MD5, a message digest algorithm, is considered cryptographically broken as of December 2008 owing to the risk of collision attacks.

Furthermore, the authority noted that the passwords associated with 2,414,254 customer accounts had only been hashed and not salted, exposing the account holders to potential cyber threats.
The probe also pointed fingers at EDF for failing to comply with GDPR data retention policies and for providing “inaccurate information on the origin of the data collected.”
“The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches,” the CNIL said.
The fines arrive less than two weeks after CNIL fined Discord €800,000 for its failure to respect data retention periods for inactive accounts and enforce a strong password policy.


One Comment

  1. I carry on listening to the news lecture about getting boundless online grant applications so I have been looking around for the most excellent site to get one. Could you advise me please, where could i get some?

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button