The telecoms operator has been held responsible for the actions of “partner agencies” working on its behalf and a fine of €15m ($17m) has been levied by the regulator. Although details are sparse, it appears that employees at a number of distributors who arranged contracts with customers on Vodafone’s behalf had acted fraudulently.
According to the Federal Commission for Data Protection and Freedom of Information (BfDI) instances of fraud included, amongst other things, entering into fictitious contracts and making changes to existing contracts, both to the detriment of Vodafone customers.
The BfDI has stressed the cooperation offered by Vodafone, with Louisa Specht-Riemenschneider, the federal commissioner leading the agency, stating that the cooperation had extended to the disclosure of “factual evidence incriminating the company itself.”
Vodafone has ceased working with distributors where fraud had been uncovered and has also amended its processes for selecting, supervising and auditing its distributor partners.
Customer authentication
The BfDI also uncovered security deficiencies in the customer authentication process spanning the “MeinVodafone” online portal and the Vodafone “Hotline.” These security shortcomings led to a number of issues including enabling unauthorized third parties to access the eSIM profiles of Vodafone end users.
Vodafone has been fined €30m ($34m) in connection with these issues and has prioritized its work on consolidating and modernizing its IT systems. In addition both compliance and data protection operations within the organization have been “strengthened.”
Specht-Riemenschneider emphasized that the regulator would always impose sanction in cases of data breaches, but also suggested that the regulator is keen “to ensure that data breaches do not occur in the first place.” She called on companies not to view data protection as an obstacle, but as an opportunity, suggesting that investment in robust systems and processes reduced the risk of both security incidents as well as the sanctions that inevitably follow.
There were two interesting additional points made in the press release announcing the fine. First, European regulators are finding that the activities of third-party data processors are not being adequately monitored in practice. Data controllers are ultimately accountable for the processing of personal data and that includes any work carried out by processors – something directly on point in this case.
And second, that new technologies (presumably including AI and deepfakes) and “more complex threat scenarios” are leading to heightened risk for customers.
