German data protection authorities have imposed a €45 million ($51.2 million) fine on Vodafone for what they described as serious data privacy breaches involving both third-party sales practices and weak digital security systems. The Federal Commissioner for Data Protection (BfDI) cited 'malicious behaviour' by partner agencies and security flaws that allowed unauthorised access to customer accounts.
Investigators found that some of Vodafone's partner agencies engaged in fraudulent conduct, including altering or forging contracts to the detriment of customers. Vodafone was fined €15 million for failing to properly supervise these partners, as required by the European Union's General Data Protection Regulation (GDPR).
Additionally, a €30 million fine was levied due to vulnerabilities in Vodafone's customer authentication systems, which potentially allowed outsiders to access sensitive services like eSIM profiles. Vodafone has acknowledged the issues, attributing them to inadequate data protection checks at the time.
The company expressed regret for the impact on customers and emphasized that under new management, it has overhauled its data protection protocols to prevent future breaches.
Louisa Specht-Riemenschneider, Germany's federal data protection commissioner, underscored the importance of data security, stating that user trust in digital services depends on strong safeguards. She added that proper compliance can even be a competitive advantage, as EU regulators continue to crack down on companies that violate GDPR standards.
