The Spanish Agency of Data Protection (AEPD) has investigated several complaints against a telecom for failing to prevent identity theft. The telecom failed to verify the identities of third parties which led to identity theft of multiple customers. This directly violates Article 5 of the GDPR which ensures appropriate security when processing personal data.
Nine customers of the telecom alleged that third parties had called requesting replicas of their SIM cards. The telecom failed to verify the identity of these people and so the replica SIMs were sent out. These SIMs were then used to make bank transfers via the customers banking apps as their verify users’ identities via their phone.
Article 5 of the GDPR ensures personal data is processed with adequate security. This includes protection against unauthorized or unlawful processing, accidental loss, destruction or damage. Article 32 requires implementation of appropriate technical and organisational measures to ensure appropriate security levels.
Final Decision
It was concluded that the telecom failed to prove that they verified:
- The identity of the persons requesting the SIM card replicas
- Invoices issued
- Effectiveness of measures they implemented to prevent identity theft
The telecoms security measures were insufficient as it only took basic knowledge of personal data to circumvent their security policy and obtain the replica SIMs. In addition, the telecom was unable to show any accountability and were unable to provide any evidence of:
- Proper analysis
- Planning
- Implementation
- Maintenance
- Control
- Security measure updates
They did not act with enough diligence to prevent the circumvention of their security measures against identity theft. Despite it being a risk the telecom should have been aware of and acted against. The telecom argued human error was to blame and not a larger failing but the investigation said the high number of data breaches occurring due to human error indicates a lack of care.
A fine of €3,940,000 must be paid by the telecom for its non-compliance with GDPR. This took into account certain factors such as:
- Nature, gravity and duration of the offence
- Number of data subjects involved
- The level of damage suffered by the Complainants
- Telecom’s failure to consider conducting a data protection impact assessment
- The negligent character of the offence
- Previous offences committed by the company which also concerned indentity theft
- At least nine were mentioned
Value Privacy are on hand to make sure your company is set against data and privacy risks. Contact us today to find out how we can help your business.
