The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Prof. Dr. Louisa Specht-Riemenschneider, has imposed two fines totalling 45 million euros on Vodafone GmbH. Due to malicious employees in partner agencies who broker contracts to customers on behalf of Vodafone, there had been fraud cases due to fictitious contracts or contract changes at the expense of customers, among other things.
A fine of 15 million euros was imposed because in terms of data protection law (Article 28 (1) sentence 1 GDPR), Vodafone GmbH had not adequately reviewed and monitored partner agencies working on its behalf.
Moreover, as vulnerabilities in certain distribution systems had been identified, the BfDI issued a warning to Vodafone for violating Article 32(1) of the GDPR.
A further fine of 30 million euros was imposed for security deficiencies in the authentication process for the combined use of the online portal ‘MeinVodafone (“My Vodafone”)’ with the Vodafone Hotline. The identified authentication vulnerabilities enabled, among other things, unauthorized third parties to access eSIM profiles.
Vodafone GmbH has now improved its processes and systems and in some cases even completely replaced them in order to eliminate such risks in the future. It has also revised the processes for selecting and auditing partner agencies and it has separated from partners identified as having committed fraud.
The fines have been accepted and have already been paid in full to the federal treasury.
The experience of data protection authorities shows that companies in many industries have an investment backlog in modernizing and consolidating IT systems. As a result, some companies are cutting back on security. The use of data processors is also often not adequately monitored in practice. New technological possibilities and more complex threat scenarios lead to increased risks for customers, who could suffer damages due to a lack of data protection.
”Data protection is often mistakenly seen as an obstacle to IT investments. In fact, the opposite is true: Without IT investments, there is the threat of security incidents and sanctions from data protection regulators. Therefore, my appeal: Investing instead of incurring risks! ”, BfDI head Louisa Specht-Riemenschneider said.
Source: ”bfdi.bund.de”
