Vodafone Germany is going to have to pay hefty fines after Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) found the telecom company lacking adequate data protection measures for its partners and a vulnerability exposing eSIM profiles.
The BfDI has imposed two fines on Vodone. The first is a €15 million (roughly $17 million) fine for failing to keep its partners in line with the EU’s General Data Protection Regulation (GDPR), and the second is a €30 million (roughly $34 million) fine for unpatched security vulnerabilities in the MeinVodafone portal, which allowed unauthorised third-parties to access a user’s eSIM profile if exploited.
According to SecurityWeek, Vodafone claims that the fines are related to past violations and have been paid in full. When asked about how its partners were able to breach GDPR, a Vodafone spokesperson clarified that “insufficient data protection checks by Vodafone led to fraud by malicious employees of partner agencies. Some of this fraud was committed at the expense of Vodafone, and some at the expense of customers.”
As far as the data exposure vulnerability is concerned, the BfDI hasn’t shared any technical details on the bug. However, it did add that Vodafone has now “improved its processes and systems and has even completely replaced them in some cases in order to exclude such dangers in the future.” Vodafone’s representative also claimed that the company is now using higher security standards for customer authentication and handling sensitive data.
What’s good to see is that Vodafone “continuously and fully cooperated” during BfDI’s investigation, a rare sight when it comes to regulatory bodies looking into companies. The BfDI also pointed out that “data protection is often wrongly used as an obstacle to IT investments,” highlighting the savings companies make at the expense of user data safety.
In the News: Interlock ransomware claims Kettering health attack
