The
French
data
protection
watchdog
on
Tuesday
fined
electricity
provider

Électricité
de
France
€600,000
for
violating
the
European
Union
General
Data
Protection
Regulation
(GDPR)
requirements.

The
Commission
nationale
de
l’informatique
et
des
libertés
(CNIL)

said
the
electric
utility
breached
European
regulation
by
storing
the
passwords
for
over
25,800
accounts
by
hashing
them
using
the

MD5
algorithm
as
recently
as
July
2022.

It’s
worth
noting
that
MD5,
a
message
digest
algorithm,
is
considered
cryptographically
broken
as
of

December
2008
owing
to
the
risk
of

collision
attacks.

Furthermore,
the
authority
noted
that
the
passwords
associated
with
2,414,254
customer
accounts
had
only
been
hashed
and
not

salted,
exposing
the
account
holders
to
potential
cyber
threats.

The
probe
also
pointed
fingers
at
EDF
for
failing
to
comply
with
GDPR
data
retention
policies
and
for
providing “inaccurate
information
on
the
origin
of
the
data
collected.”

“The
amount
of
the
fine
was
decided
considering
the
breaches
observed
and
the
cooperation
by
the
company
and
all
the
measures
it
has
taken
during
the
proceedings
to
reach
compliance
with
all
alleged
breaches,”
the
CNIL

said.

The
fines
arrive
less
than
two
weeks
after
CNIL

fined
Discord
€800,000
for
its
failure
to
respect
data
retention
periods
for
inactive
accounts
and
enforce
a
strong
password
policy.