Vodafone Spain almost 4 million Euros GDPR fine for loss of confidentiality related to mobile phone sim card duplicate and a lack of accountability

“Various claims are filed as a result of the issuance of duplicate SIM cards to third parties other than subscribers. As a result of the above, the holders of the telephone line are not only left without service, but the third parties access their bank accounts.”

“Spanish DPA carries out research actions to analyze the procedures followed to manage SIM change requests by Vodafone Spain, identifying the vulnerabilities that may exist in the implemented operating procedures, to detect the causes for which these cases could be occurring, as well as to find points of non-compliance, improvement or adjustment, to determine responsibilities, reduce risks and increase security in the processing of personal data of affected persons.

The data that is processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module), which unequivocally identifies the subscriber on the network, are personaldata, and their treatment must be subject to data protection regulations.

It has been verified that the measures implemented by Vodafone Spain were insufficient, so they generated a loss of confidentiality and the transfer of personal data to a third party.

It was also found the lack of accountability by not having implemented an effective GDPR compliance and management model to avoid the risk of identity theft, in relation to the absence of adequate security measures and aimed at ensuring the procedure of identification and delivery of the SIM card, the materialization of the risks, the delayed temporary reaction to the events described, in addition to the inadequacy of the measures taken.”