Zum Hauptinhalt springen

Don’t Use Unsupported Software

Operating supported software is of the utmost importance, and I'm not just saying that for dramatic purposes. Not only does it serve to protect your infrastructure, but above all, it is part of your responsibility to protect the personal data of your users and customers.

Why is it so essential to use officially supported software? Because in today's information age, shady people are trying to get a hold of your bank accounts and credit card information. Plus, specialized companies are constantly trying to collect and trade personal data known as data brokers.

Data brokers

These data brokers use personal data as a valuable commodity; they create user profiles that they sell to the highest bidder. Is this legal? Essentially yes! Data brokers mainly operate within the law and don't even require your consent. They collect, bundle, and sell your information to third parties interested in targeting you as a consumer. They know personal information about you like your full name, age, gender, email address, phone number, date of birth, place of residence, personal interests, buying habits, and education level. With the abundance of social media websites like Facebook, Twitter, and YouTube, many people share large parts of their personal lives, but what about not actively shared information? What about information leaked from a trusted source?

General Data Protection Regulation

The GDPR was created to regulate the use of and, most importantly, to protect the personal information of EU citizens and residents. It is based on guidelines and regulations to ensure the proper acquisition, handling, storage, and deletion of said information.

Recent history

A violation of these technical specifications will cost a company from Lower Saxony, Germany, €65,000 for a breach of articles 25 and 32 of the DSGVO. But what happened?

Outdated software was used for the online shop of their website. The software in question was version 3.0.4 (SP2.1) of 'xt: Commerce', a version no longer receiving security updates and no longer officially supported by the manufacturer since 2014. The manufacturer actively warns about using version 3, as the version suffers from significant security gaps, which among other things, made attacks via SQL injection possible.

Heise reported: "The investigations by the authority from Lower Saxony also showed that the passwords stored in the database were "secured with the cryptographic hash function MD5". However, it was not designed for passwords, so that a calculation of the plain text passwords would have been possible. In addition, "no Salt was used". To secure passwords, the activity report refers to the technical guideline "Cryptographic Procedures: Recommendations and Key Lengths" BSI TR-02102-1 of the BSI."

This latest case from Germany shows how carelessly entities entrusted with personal data sometimes deal with them. However, this does not only apply to private websites or webshops, it also doesn't stop at municipal and state institutions, which are more readily placed with greater trust. In the following, we describe two relatively recent cases from Denmark where Southern Denmark (Syddanmark) and Central Denmark (Midtjylland) were each fined for violating the guidelines set out in the GDPR.

The region of Southern Denmark used a screening tool to regularly check if it inadvertently published any social security numbers on the region's website. However, the screening tool failed to scan the underlying data in PowerPoint presentations, rendering the region unable to meet the data protection regulation requirements for an adequate level of security. The Danish Data Protection Authority imposed a fine of ~€67,000 (500,000 kr).

The Danish region of Central Jutland did not guarantee a sufficiently high level of security when storing patient files in an archive in the Brædstrup Lifestyle Center. The Danish Data Protection Agency report states that all patients and staff at the lifestyle center had key cards with access to all buildings. Including access to 100,000 physical patient files with health information and social security numbers. The Danish Data Protection Authority recommended a fine of ~€54,000 (400,000 kr).

Conclusion

These few examples we looked at in this article clearly show personal data is only secure if you follow all security precautions and guidelines specified by the General Data Protection Regulation. No matter if the information is analog or digital, no matter the entity or medium.

Non-compliance can result in heavy fines for the operator. Even worse than fines is the risk for your users and customers. In a worst-case scenario, their data is exposed to a high risk of being compromised, resold, and used for criminal activities.

Of course, we can only make one clear recommendation: No matter what kind of project you run, only use officially supported software! Don't take any chances or hesitate to act. To ensure legal compliance and the safety of personal data!