Next time you are reading a privacy policy, make sure to verify whether your data is processed by third-party companies. Vodafone is facing a small fine for not properly vetting the data protection practices of its third-party partners.
German data privacy regulators on Monday fined the multinational telecommunications company Vodafone €45 million ($51.2 million) for what authorities called “malicious behavior” by third-party sales agents and for security flaws in its authentication processes.
The German data privacy regulator, Federal Commissioner for Data Protection and Freedom of Information (BfDI), alleged that “partner agencies” working with Vodafone arranged fraudulent deals with customers on the company’s behalf, including by using fictitious contracts or changing contract terms in ways which hurt clients.
As a result, the agency fined the company €15 million ($17.1 million) because it had not “adequately checked and monitored partner agencies working for it” under the terms of Europe’s tough General Data Protection Regulation (GDPR), according to a BfDI press release.
The regulator fined the telecom company an additional €30 million ($34 million) for what it called security flaws in the authentication process for customers using the company’s online portal and hotline.
“The discovered authentication vulnerabilities allowed, among other things, unauthorized third parties to access eSIM profiles,” the press release said.