€9.55m GDPR Breach Fine for German Telecoms Provider

A GDPR fine of €9.55m has been applied by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) after telecommunications provider 1&1  was found guilty of allowing a breach to take place.

The breach took place when 1&1 did not properly secure its customer service line and permitted third parties to obtain customer personal data by supplying only a name and date of birth. The regulator actually praised 1&1 for completely cooperating with the investigation. The company has now said that it will submit an appeal against the GDPR fine.

The incident dates back too 2018 when an inquiry was made by a caller about the mobile number of a previous partner. 1&1 said that the employee adhered to the security rules they used back then. The BfDI confirmed that callers to 1&1’s call center could access customer information just by giving a name and date of birth, which it said was not enough authentication for protecting customer data.

The regulator released a statement that said: “The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.”

The regulator’s investigation showed that that the authentication process was safeguarded through the request of extra information. Due to this breach 1&1 is now bringing in a new authentication procedure that has been enhanced in terms of technology and data protection, following consultation with the BfDI. Despite the company implementing these new processes, BfDI chose to sanction the fine as the GDPR breach represented a danger for the entire customer base.

Federal Commissioner Ulrich Kelber remarked: “Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration.”

Data Protection Officer for 1&1 Julia Zirfas spoke on behalf of her company, saying: “The fine is absolutely disproportionate” and breaches the German legal code’s principles of “equal treatment and proportionality”. She said that the company believes that the regulator erred in how it calculated the fine. She said: “(the breach) it concerned a telephone query using the mobile number of a former partner. The responsible employee fulfilled all the requirements of the then valid 1 & 1 security guidelines. Since then, 1 & 1 has continued to evolve its security requirements. For example, since then a three-level authentication system has been introduced, and in the next few days 1 & 1 – being one of the first companies in its sector to do so – will provide each customer with a personal service PIN.”