The German data protection authority (BfDI) has sanctioned Vodafone GmbH with a €45 million ($51.4 million) fine due to serious privacy and security breaches. The infractions stemmed from malicious actions by employees at partner agencies, which led to numerous instances of fraud involving fictitious contracts and unauthorized changes to existing agreements without customer consent.
On Thursday, BfDI outlined in a statement that a significant portion of the penalty—€15 million—was a direct consequence of Vodafone’s inadequate oversight of partner agencies. These agencies allowed employees to execute unauthorized contract modifications, thereby deceiving customers into signing contracts based on false premises. The authority emphasized the importance of stringent monitoring to prevent such issues.
In addition to the fine for inadequate monitoring, the British multinational telecommunications giant faced a separate €30 million penalty for authentication vulnerabilities within its MeinVodafone platform and customer hotline. These flaws allowed attackers to exploit customer profiles, posing a significant risk to user data and privacy. Prof. Dr. Louisa Specht-Riemenschneider, the Federal Commissioner for Data Protection and Freedom of Information, affirmed that it is crucial for companies to take proactive measures to avoid data breaches.
Vodafone has reportedly taken steps to address these issues, updating its internal processes and systems, which includes a complete overhaul of its partner agency selection and auditing procedures. The company has also discontinued partnerships associated with fraudulent activities. In a response to the situation, Vodafone has already paid the fines and contributed several million euros to initiatives advocating data protection and combating cyberbullying. In light of these developments, the firm continues to serve over 330 million customers across 15 countries.