GDPR: German Privacy Regulator Fines 1&1 Telecom 9.55M EUR for insufficient user verification at Customer Services
On Monday, 1 & 1 Telecommunications was fined €9.55 million ($10.6 million) by Germany's Federal Commissioner for Data Protection and Freedom of Information, or BfDI, for its failure to put in place "sufficient technical and organizational measures" to protect customer data in its call center environments. The company has said it will appeal the fine.
The BfDI says it fined 1 & 1 Telecom after discovering that callers to its call center could retrieve customer information simply by giving their name and date of birth, which it said was an insufficient level of authentication for protecting customer data. "In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data."
BfDI said that after it "criticized the inadequate data protection, 1 & 1 Telecom GmbH was transparent and very cooperative," adding an extra step to require additional information, which the regulator said was a significant improvement both in terms of the technology applied as well as the resulting data protection improvement. The regulator said it applied a relatively low fine, based on 1 & 1 Telecom's cooperation and move to rapidly fix the problem.
We have had cases on authentication in the past including from a U.K. financial services regulator. Organizations need to check that they are dealing with the right people and that they are not giving data away unnecessarily. When they do spot a possible security vulnerability organizations need to deal with it quickly and efficiently. "Since then, 1 & 1 has continued to evolve its security requirements," the company says. "For example, since then a three-level authentication system has been introduced, and in the next few days 1 & 1 - being one of the first companies in its sector to do so - will provide each customer with a personal service PIN."