Security Experts:

Connect with us

Hi, what are you looking for?



Web Hosting Firm Slapped With $10 Million GDPR Fine

$10 Million GDPR Fine Imposed on German Telco 1&1

$10 Million GDPR Fine Imposed on German Telco 1&1

The German data protection regulator, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has imposed a €9.55 million ($10.64) GDPR fine on German telecoms provider 1&1 Telecom GmbH. This is described as being “in the lower range of possible fines” primarily because of 1&1’s cooperative response to the regulator’s investigation. 

The fine was imposed under Article 32 of GDPR. Paragraph 2 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

BfDI said in a statement, “In connection with their telephone customer service, the company had not taken sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information.”

The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1’s customer helpline to a former life partner in 2018. Since the former partner already knew a lot of details, the helpline provided the phone number after being given the complainant’s name and date of birth. According to BfDI, this was insufficient ‘access control’ for access to personal data.

1&1 cooperated with the investigation. “Following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.” Nevertheless, the regulator felt compelled to issue a fine because the infringement could have potentially affected 1&1’s entire customer base.

Despite saying the fine was in the lower range of possibilities, it remains a major GDPR fine against a European company. Germany had earlier imposed a fine of €14.5 million ($16.15 million) on a German real estate company for storing personal data without a legal basis, and for not implementing privacy by design. The highest fine so far was by the UK regulator against British Airways ($230 million in 2018). However, the 1&1 fine is significant for both its size, and because it does not directly relate to the organization’s computer systems, but to verbal and curated access to personal data stored on those systems.

In a subsequent statement, 1&1 Telecom has said that it will fight the BfDI decision. It said that it was already using 2-factor authentication by requesting the additional personal information (which in this case was known to the former life partner). 1&1 notes, “At this point… there was no uniform market standard for higher security requirements.” Its claim is that the fine is therefore disproportionate and violates Basic Law.

Nevertheless, it adds, “Since then 1 & 1 has continuously developed the security requirements. For example, a three-level authentication has been introduced in the meantime and in the next few days 1 & 1 – as one of the first companies in its industry – will provide each customer with a personal service PIN.”

If the fine is upheld by the courts, it will mean that many companies will need to rethink their existing customer helpline security arrangements. Even without additional security, customers are already unhappy with the difficulties in obtaining telephone support. Companies need to balance security with ease of use. But it is worth noting that BfDI is not thinking of this as a one-off problem: “On the basis of its own findings, indications and customer complaints,” it warns, “the BfDI is also currently investigating the authentication procedures of other telecommunications service providers.”

Related: Marriott to Contest $124 Million Fine Imposed by UK Regulator 

Related: The Case for Cyber Insurance 

Related: The Global Reach of GDPR 

Related: GDPR – Improving Data Privacy and Cyber Resilience?

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...