1&1 Telecom GmbH has been hit with one of the largest fines dished out so far under European GDPR legislation, Germany’s federal privacy watchdog has announced.
1&1 has been fined €9.55 million (US $10.6 million) by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BFDI), after the telecoms company was found to have not taken sufficient measures in its call centre to prevent unauthorised parties from accessing customer data.
The BfDI says that it became aware that anyone could obtain extensive personal information on 1&1’s customers simply by calling the customer care department and giving a name and date of birth.
The BfDI ruled that 1&1 was, therefore, in violation of article 32 of the GDPR legislation, by failing to take appropriate technical and organisational measures to protect the handling of personal data.
The German data protection agency determined that, although the number of affected customers was small, a fine was necessary because 1&1’s entire customer base was at risk.
The fine could have been higher, but the BfDI took into account that 1&1 took steps to improve things – by asking for additional information to verify the identity of individuals – in its call centre when its inadequate security was brought to its attention. The company also says it will be introducing a new authentication system that they hope will significant improve the protection of data.
The BfDI says that it has since opened investigations into other telecoms providers to see if they are similarly failing to properly protect customers’ private information.
Compared to other GDPR fines related to more significant breaches – such as the £183 million penalty imposed on British Airways, and the £99 million fine on Marriott International – 1&1 has got away relatively lightly.
But few companies of its size will be happy paying a fine of almost 10 million Euros, and we can only hope that other businesses will heed the headlines and ensure that they have proper technology and procedures in place to avoid the risk of their own customers having their private details exposed to unauthorised parties.
Update: This story has been updated to point that telecom part of 1&1 GmbH has been affected, not their web-hosting services.