Introduction
On 14 December 2022, a case was brought before the Spanish Data Protection Authority (AEPD) that underscores the critical importance of robust security measures in handling personal data.
A Vodafone Spain customer filed a complaint alleging that a third party, without consent, fraudulently obtained a duplicate SIM card. This allowed the fraudster to gain access to sensitive personal information, including the customer’s bank account details.
The company argued that the third party used valid access credentials obtained through social engineering. They also claimed that their logistics provider verified the identity of the fraudster upon SIM delivery.
What Vodafone could not provide?
Vodafone admitted they could not provide critical evidence, such as:
- A signature confirming the SIM card delivery.
- A recording of the activation call necessary to use the SIM.
AEPD Decision
The AEPD found Vodafone Spain at fault for failing to implement adequate measures to prevent impersonation. As a company processing large volumes of personal data, Vodafone is required to:
- Have strong systems in place to prevent identity theft.
- Demonstrate compliance with GDPR, particularly Article 6(1), which mandates lawful processing of personal data.
Since Vodafone could not provide evidence of compliance or adherence to its security policies, the AEPD imposed a €200,000 fine.
Learning
Organizations handling personal data must go beyond basic verification systems and adopt robust measures to prevent fraud and impersonation. Technologies such as Multi-Factor Authentication should be a standard component of default authentication protocols.
About The Author