A GDPR penalty of €9.55m has been sanctioned against telecommunications provider 1&1 by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) in relation to a General Data Protection Regulation (GDPR) violation.
The breach took place when 1&1 did not adequately secure its customer service line and permitted third parties to obtain customers’ personal data by providing only a name and date of birth. The regulator praised 1&1 for completely assisting with the investigation. The company has now said that it will appeal the penalty.
The incident dates back to 2018 when an inquiry was made by a caller about the mobile number of a previous partner. 1&1 said that the employee followed the security rules in place at the time. The BfDI revealed that callers to 1&1’s call center could access customer information simply by giving a name and date of birth, which it said was an insufficient level of authentication for providing customer data.
The regulator commented: “The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.”
The regulator’s inquest showed that the authentication process was secured through the request of additional data. Due to this breach, 1&1 is now configuring a new authentication procedure that has been enhanced in terms of technology and data protection, in tandem with the BfDI. Despite the company taking these steps to address the issue, BfDI chose to sanction the fine as the GDPR breach placed the entire customer base at risk.
Federal Commissioner Ulrich Kelber remarked: “Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration.”
1&1 has published a statement saying that it will appeal the fine as it does not relate to the general security of data stored by 1&1, but to how customers can access their information included in a contract.
Data Protection Officer for 1&1 Julia Zirfas remarked: “The fine is absolutely disproportionate” and breaches the German legal code’s principles of “equal treatment and proportionality”. She said that the company believes that the regulator erred in how it calculated the fine. She said: “(the breach) it concerned a telephone query using the mobile number of a former partner. The responsible employee fulfilled all the requirements of the then valid 1 & 1 security guidelines. Since then, 1 & 1 has continued to evolve its security requirements. For example, since then a three-level authentication system has been introduced, and in the next few days 1 & 1 – being one of the first companies in its sector to do so – will provide each customer with a personal service PIN.”