Industry News

1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Web-hosting firm 1&1 hit by almost €10 million GDPR fine over poor security at call centre

1&1 Telecom GmbH has been hit with one of the largest fines dished out so far under European GDPR legislation, Germany’s federal privacy watchdog has announced.

1&1 has been fined €9.55 million (US $10.6 million) by Germany’s Federal Commissioner for Data Protection and Freedom of Information (BFDI), after the telecoms company was found to have not taken sufficient measures in its call centre to prevent unauthorised parties from accessing customer data.

The BfDI says that it became aware that anyone could obtain extensive personal information on 1&1’s customers simply by calling the customer care department and giving a name and date of birth.

The BfDI ruled that 1&1 was, therefore, in violation of article 32 of the GDPR legislation, by failing to take appropriate technical and organisational measures to protect the handling of personal data.

The German data protection agency determined that, although the number of affected customers was small, a fine was necessary because 1&1’s entire customer base was at risk.

The fine could have been higher, but the BfDI took into account that 1&1 took steps to improve things – by asking for additional information to verify the identity of individuals – in its call centre when its inadequate security was brought to its attention. The company also says it will be introducing a new authentication system that they hope will significant improve the protection of data.

The BfDI says that it has since opened investigations into other telecoms providers to see if they are similarly failing to properly protect customers’ private information.

Compared to other GDPR fines related to more significant breaches – such as the £183 million penalty imposed on British Airways, and the £99 million fine on Marriott International – 1&1 has got away relatively lightly.

But few companies of its size will be happy paying a fine of almost 10 million Euros, and we can only hope that other businesses will heed the headlines and ensure that they have proper technology and procedures in place to avoid the risk of their own customers having their private details exposed to unauthorised parties.

Update: This story has been updated to point that telecom part of 1&1 GmbH has been affected, not their web-hosting services.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment