German Telecoms Provider Fined €9.55m for GDPR Breach

A fine of €9.55m has been sanctioned by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) against telecommunications provider 1&1  for a General Data Protection Regulation (GDPR) breach.

The breach occurred when 1&1 did not sufficiently safeguard its customer service line and permitted third parties to obtain customer personal data by providing only a name and date of birth. The regulator commended 1&1 for completely cooperating with the investigation. The company has now said that it will appeal the fine.

The incident goes back as far as 2018 when an inquiry was made by a caller about the mobile number of a former partner. 1&1 said that the employee followed the security rules in place at the time. The BfDI said that callers to 1&1’s call center could access customer information simply by providing a name and date of birth, which it said was an insufficient level of authentication for protecting customer data.

The regulator said: “The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.”

The regulator’s investigation revealed that the authentication process was secured through the request of additional information. As a result of this breach, 1&1 is now introducing a new authentication procedure that has been improved in terms of technology and data protection, in consultation with the BfDI. Despite the company taking these measure to address the issue BfDI chose to sanction the fine as the GDPR breach represented a risk for the entire customer base.

Federal Commissioner Ulrich Kelber said: “Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration.”

1&1 has released a statement saying that it will appeal the fine as it does not relate to the general protection of data stored by 1&1, but to how customers can access their information included in a contract.

Data Protection Officer for 1&1 Julia Zirfas said: “The fine is absolutely disproportionate” and breaches the German legal code’s principles of “equal treatment and proportionality”. She said that the company believes that the regulator erred in how it calculated the fine. She said: “(the breach) it concerned a telephone query using the mobile number of a former partner. The responsible employee fulfilled all the requirements of the then valid 1 & 1 security guidelines. Since then, 1 & 1 has continued to evolve its security requirements. For example, since then a three-level authentication system has been introduced, and in the next few days 1 & 1 – being one of the first companies in its sector to do so – will provide each customer with a personal service PIN.”