The Federal Data Protection Authority found a violation of Article 32 of the GDPR and fined 1&1 9.8 million euros. Violation is caused by the phone authentication mechanism. Only names and birthdates were required to change account information for customers. The FDPA also stated that the phone authentication methods of all major webs services and telecom providers in Germany will be investigated.
1&1: Absolutely disproportionate
1&1 has filed a lawsuit against the DPA. The company claims that the amount is absolutely disproportionate. 1&1 states:
The 1 & 1 Telecom GmbH will not accept the fines decision issued against it by the Federal Commissioner for Data Protection and Freedom of Information (Federal Data Protection Commissioner) and sue. The Federal Data Protection Commissioner has imposed a fine of 9.55 million euros for an individual case. The authority accuses 1 & 1 of having failed to comply with technical and organizational measures to protect personal data through non-compliant telephone authentication.
This procedure was not about the general protection of data stored in 1 & 1, but about how customers can access their contract information. The case in question already occurred in 2018. Specifically, it was about the telephone query of the mobile number of a former partner. The responsible employee fulfilled all the requirements of the then valid 1 & 1 security guidelines. At that time, two-factor authentication was common and there was no single market standard for higher security requirements.
Conclusion
This issue once again shows us the importance of penetration tests. We all know tech giants spending huge amounts of money on penetration tests to evaluate their safeguards. But it seems like most penetration testers are focusing mainly on software and network security.
The problems similar to this one underline the importance of testing the authentication methods, social engineering aspects and even the physical location and accessibility of the devices, such as servers. Web hosting companies should rule out any possibilities of GDPR violations during the penetration tests and even ask the penetration testers to create and evaluate unusual situations to improve their methods and employees.