A very expensive lack of diligence. The Spanish Data Protection Agency (AEPD) has imposed a fine of 80,000 euros on Vodafone for not having verified the identity of the person who called requesting a duplicate SIM card. The supposed client turned out to be actually a scammer, who took advantage of the new card to make fraudulent transfers for an amount of 5,000 euros.
The victim is a young woman from Aragon who was aware that something was happening when, having lost her line, she went to a Vodafone customer service point, where they confirmed that another person had requested a new SIM card for her number.
According to the note made public by the Organization of Consumers and Users (OCU), the telephone operator “did not follow a rigorous procedure that would allow the identity of the applicants to be verified,” even more so taking into account that the call was made from Norway and not from Zaragoza, where the owner's address is located, and that it was made from a hidden number.
The AEPD considers it proven that a third party requested, through a telephone call to the customer service center, a duplicate of the SIM card of the complaining party and that the card was delivered to him, so said third party had access to his banking details and carried out various non-consensual operations for an amount of 5,000 euros thanks to the authentication SMS received.
In this sense, the Agency considers that there was “illicit processing of the claimant's personal data”, which contravenes the data protection regulations. In its resolution it states that "the procedure implemented by the claimed party was not followed, since, if it had been done, it should have been denied." Among the measures that were not followed was recording the call.
As a consequence, an initial fine of 100,000 euros was imposed on the company, which was later reduced by 20% to the final 80,000.
It is not the first time that Vodafone has lost a battle over the management of its customers' personal data. In January of this same year, the AEPD also fined it 100,000 euros for not properly verifying the identity of a new client who contracted a line in 2019 and who, allegedly, was used to commit scams on Wallapop.
For its part, the OCU has asked operators to “extreme surveillance” and implement security systems that carry out an “effective identity check” of clients.
Furthermore, the organization criticizes that although current data protection regulations allow exemplary sanctions to be imposed on companies, they do not contemplate “direct compensation” for the benefit of the user whose data has been violated. This is the case of the affected young woman, who must try to recover the money now in her bank or go to court to achieve it.
