cybersecurityTelecommunications · 2019

1&1 Telecom GmbH

The Federal Data Protection Commissioner (BfDI) fined 1&1 Telecom GmbH €9.55 million for maintaining a grossly inadequate customer service authentication procedure that allowed any caller to access another person's complete account information — including contact details, contract terms, and phone numbers — simply by providing the target's name and date of birth, information obtainable from publicly available sources. The BfDI found this two-element authentication was categorically insufficient given the sensitivity of the account data disclosed and constituted a systemic GDPR Art. 32 failure. The fine was reduced on appeal.

Fine Imposed€9.6M

Authority

BFDI-DE

Regulation

Bundesdatenschutzgesetz (Federal Data Protection Act 2018)

Max fineGDPR maxima apply (€20M / 4% global turnover); BDSG §43 adds up to €300,000 for certain specific violations

Statusactive

Key Takeaways

Customer service authentication must be proportionate to the sensitivity of data accessible — name-plus-birthdate verification for full account disclosure is insufficient and constitutes a systemic GDPR technical security failure that regulators will treat as an affirmative violation.