The French data protection authority penalized Électricité de France €600,000 on Tuesday for failing to comply with the General Data Protection Regulation (GDPR) of the European Union.
The electric utility was accused of violating European law by retaining the passwords for more than 25,800 accounts and hashing them using the MD5 technique as recently as July 2022, according to the Commission Nationale de l’Informatique et des Libertés (CNIL).
Notably, the message digest technique MD5 is regarded as cryptographically broken as of December 2008 because of the possibility of collision attacks.
The regulator also pointed out that 2,414,254 customer accounts’ passwords had simply been hashed, not salted, putting the account holders at risk of online threats.
The investigation also charged EDF with violating GDPR data retention regulations and giving “inaccurate information on the origin of the data obtained.”
The fine’s amount was determined “taking into account the breaches observed and the company’s cooperation and all the actions it has taken during the proceedings to seek compliance with all the alleged breaches,” the CNIL stated.
Less than two weeks prior, the CNIL penalized Discord €800,000 for failing to uphold data retention policies for inactive accounts and enforce strong password policies. The fines are now being issued.