Vodafone Germany has been hit with a whopping €45 million (around $51 million) fine for major privacy failures by the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
The hefty fine underlines Germany’s strict application of the General Data Protection Regulation (GDPR) and points to serious shortcomings in Vodafone’s data protection regime.
The fine is split into two parts tackling two separate but equally serious offences. A €15m release fee was ordered because Vodafone had not monitored and supervised its partner agencies sufficiently in the case.
It emerged that agents appointed by these bodies to negotiate contracts on Vodafone’s behalf had been involved in fraud. This involved manufacturing bogus contracts and altering without authority existing customer contracts, to the straight-up detriment of consumers.
The BfDI underscored the obligation of Vodafone to pass on compliance obligations to their third-party processors, which has not been met.
The majority of the fine, €30 million, came about due to serious authentication weaknesses in Vodafone’s “MeinVodafone” web portal and its customer service hotline.
These exploits, in turn, allowed unauthorized third parties to illicitly obtain sensitive customer data, potentially solid include eSIM profiles. The breach highlights a fundamental flaw in the company’s IT systems and authentication procedures, putting customer’s information at risk of being misused.
Louisa Specht-Riemenschneider, Federal Commissioner for Data Protection and Freedom of Information, said that while it would need to be discussed what consequences were appropriate, she hoped they wouldn’t have to be used at all due to the preventative work of her office. She also commended Vodafone for its “unrestricted and continuous co-operation” during the trial, and said the company had given evidence against itself.
The fines have also been confirmed by Vodafone Germany, and have been settled in full. The company apologized for the unintended consequences to its customers and said it had completely overhauled its systems and operations.
This entails tightened guidelines for partner selection and evaluation, better standards for security within their customers’ authentication systems, and a complete overhaul of their treatment of sensitive customer data.
Vodafone has also cut off its companion agencies connected to the fraud and has gifted millions of Euros to charities which promote data protection and digital education.
The penalty underscores the holy grail of establishing a strong data protection regime, ahead of working with third party partners, for both every data controllers and telcomms companies. With GDPR enforcement ramping up throughout the EU, businesses are advised to invest in IT security and compliance to protect client trust and reduce the risk of costly fines.
