$11 Million Fine for Authentication Shortcomings at Telecommunications Provider
Headquarters of 1 & 1 Telecom in Montabaur, Germany (Photo: 1&1)
One of the largest fines to date for violating the EU’s General Data Protection Regulation has been announced by Germany’s federal privacy watchdog.
On Monday, 1 & 1 Telecommunications was fined €9.55 million ($10.6 million) by Germany’s Federal Commissioner for Data Protection and Freedom of Information, or BfDI, for its failure to put in place “sufficient technical and organizational measures” to protect customer data in its call center environments. The company has said it will appeal the fine.
Also on Monday in a separate case, the BfDI announced a fine of €10,000 ($11,100) against internet service provider Rapidata GmbH, for its failure to appoint a data protection officer, as required by GDPR, which is known as Datenschutz-Grundverordnung – the DSGVO – in Germany.
Officials at the Breisgau, Germany-based firm didn’t immediately respond to a request for comment. Regulators said the amount of the fine reflected its failure to comply with multiple requests, but also the fact that it is a small business.
“Data protection is fundamental rights protection,” says Federal Commissioner Ulrich Kelber. “The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration.”
1&1 Fined for Poor Authentication
Based in the small, western German city of Montabaur, 1 & 1 Telecommunication SE is one of Germany’s biggest DSL and mobile service providers. It’s a subsidiary of 1 & 1 Drillisch AG, which is one of the country’s largest network-independent telecommunications providers, with about 14 million customers. The company is part of the United Internet Group, which includes all other 1 & 1 companies, including the popular global hosting firm 1&1 IONOS.
The BfDI says it fined 1 & 1 Telecom after discovering that callers to its call center could retrieve customer information simply by giving their name and date of birth, which it said was an insufficient level of authentication for protecting customer data.
Excerpt from GDPR Article 32 (Source: U.K. Information Commissioner’s Office)
“The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer,” the regulator says in its announcement of the fine. “In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.”
GDPR came into full effect on May 25, 2018.
1&1 Praised for Transparency, Cooperation
BfDI said that after it “criticized the inadequate data protection, 1 & 1 Telecom GmbH was transparent and very cooperative,” adding an extra step to require additional information, which the regulator said was a significant improvement both in terms of the technology applied as well as the resulting data protection improvement.
“Despite these measures, the imposition of a fine was necessary,” the regulator said, based on the potential data exposure. “Among other things, the infringement was not only limited to a small number of customers, but represented a risk for the entire customer base.”
The regulator said it applied a relatively low fine, based on 1 & 1 Telecom’s cooperation and move to rapidly fix the problem.
Legal Appeal Planned
The telecommunications firm says it plans to appeal.
“The fine is absolutely disproportionate,” says attorney Julia Zirfas, who serves as the company’s data protection officer. She says the fine breaches the German legal code’s principles of “equal treatment and proportionality” and contends that the regulator erred in how it calculated the fine.
1 & 1 Telecom said the basis for the GDPR complaint that led to the fine involved a 2018 case. “Specifically, it concerned a telephone query using the mobile number of a former partner. The responsible employee fulfilled all the requirements of the then valid 1 & 1 security guidelines,” which the BfDI later warned were insufficient, it says.
“Since then, 1 & 1 has continued to evolve its security requirements,” the company says. “For example, since then a three-level authentication system has been introduced, and in the next few days 1 & 1 – being one of the first companies in its sector to do so – will provide each customer with a personal service PIN.”
Data Security and Integrity Takeaways
Clearly, this case demonstrates that for privacy regulators, data security and integrity are paramount, says Jonathan Armstrong, an attorney at London-based Cordery who specializes in compliance matters, in a research note to clients. The case also demonstrates the likelihood that organizations will appeal any GDPR fines that regulators attempt to impose.
“This case tells us that, as we predicted prior to GDPR coming in, the security and integrity of data is important,” Armstrong says.
“We have had cases on authentication in the past including from a U.K. financial services regulator. Organizations need to check that they are dealing with the right people and that they are not giving data away unnecessarily. When they do spot a possible security vulnerability organizations need to deal with it quickly and efficiently.”
1&1’s decision to appeal the privacy regulator’s decision is also not unexpected. “Cases like this will often be appealed,” Armstrong says. “The way in which fines are calculated in cases like this is not clear.”