Vodafone Germany Fined $51 Million Over Privacy, Security Failures

Wireless carrier Vodafone received a €45 million (~$51 million) fine in Germany over failures to adequately protect user data, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the country’s data privacy regulator, announced.

BfDI imposed two fines on Vodafone, one for failing to check and monitor partners in line with Europe’s data protection law, the General Data Protection Regulation (GDPR), and another for vulnerabilities in the authentication process on the company’s online portal.

Vodafone was fined €15 million (~$17 million) after the regulator discovered that employees at partner agencies brokering contracts on behalf of Vodafone tricked customers into signing fictitious contracts or into making contract changes that hurt the customers.

A separate €30 million (~$34 million) fine was imposed for security defects in the authentication process for the MeinVodafone portal used in conjunction with the carrier’s hotline, which enabled third-parties to access users’ eSIM profiles.

“Companies that want to comply with data protection law must be empowered to do so. Data protection is a trust factor for users of digital services and can therefore become a competitive advantage. More and more companies are understanding this,” BfDI head Louisa Specht-Riemenschneider said, praising Vodafone’s cooperation throughout the investigation.

Responding to a SecurityWeek inquiry, Vodafone Germany said that the fines were related to data protection violations committed in the past and that it has already paid them fully.

“In the first case, insufficient data protection checks by Vodafone led to fraud by malicious employees of partner agencies. Some of this fraud was committed at the expense of Vodafone, and some at the expense of customers,” a Vodafone spokesperson said.

In the second case, Vodafone said, BfDI pointed out authentication weaknesses exposing eSIM profiles. The regulator also criticized the security of Vodafone’s IT systems and the access options available to its partners.

“Vodafone regrets that customers were negatively affected by this. The systems and measures in place at the time ultimately proved to be insufficient,” the spokesperson said.

“Vodafone has analyzed and fundamentally revised its systems and processes. This includes stricter guidelines, more monitoring options for partners, and higher security standards, such as for customer authentication and the general handling of sensitive customer data,” Vodafone’s representative said.

Related: TikTok Fined $600 Million for China Data Transfers That Broke EU Privacy Rules

Related: Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits

Related: Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations