Weak account checks earn company $10.5 million privacy fine

What’s been 2019’s scariest cybersecurity trend?

There are plenty of candidates, of course, but let’s make the case for one that’s unlikely to be on most people’s worry list – the EU’s General Data Protection Regulation (GDPR).

If a European regulation sounds a bit underwhelming as threats go, consider the case of German call centre company 1&1 Telecommunications which has just been whacked with a €9.6m ($10.5 million) fine for allegedly failing to fully authenticate people phoning up to access their accounts.

According to Germany’s federal data protection commission, the BfDI, customers were able to authenticate themselves using only their name and date of birth when calling the company.

If accurate, this would represent a major security risk. Nobody should be able to phone up a company and gain access to personal information using something as easily obtained as a person’s name and birthday.

More to the point, it’s a violation of Article 32 of the GDPR, Security of Processing, which is why a single customer decided to report its lax security after complaining their data had been accessed by a former partner.

Big teeth

The maximum fine under GDPR is up to 4% of annual global turnover or the equivalent of $22 million – whichever is greater – in theory, the largest fines levied anywhere in the world for this kind of data protection failure.

For large companies, fines could run to billions. Even for small companies, it could be millions.

When GDPR came into force in the EU in May 2018 (which includes US and other foreign subsidiaries operating in or through the EU), it wasn’t clear how often such large fines would be imposed. The assumption was that the appeal process and negotiation might water them down.

Yet, in July 2019, the UK’s Information Commissioner announced its intention to fine British Airways £183 million ($230 million), equivalent to 1.5% of the company’s turnover, for the 2018 Magecart card-skimming attack.

A day later, and the same authority handed a £99.2 million fine on hotel group Marriott International for a long-running breach in an acquired subsidiary affecting 339 million customers, which was made public in 2018.

We don’t know whether appeals against these fines will be successful but there is a growing sense they won’t – the GDPR is a new reality and someone was going to be made an example of.

1&1 Telecom

The difference in the 1&1 Telecom case is that the breach being punished related to only one customer, its effect on others being largely hypothetical had processes not been tightened (which reportedly they have been).

The company’s attorney, Julia Zirfas, was unimpressed:

The fine is absolutely disproportionate. The new fine, after which the sum was calculated and applies to the entire German economy, was published on 14 October 2019 and is based on the annual consolidated sales. Even the smallest deviations can result in huge fines.

When compared to the vast Marriott breach, it could be argued the fine is out of proportion to the damage done.

The opposing view is that even potential breaches affecting smaller numbers of people can be serious and the best way to avoid repeat incidents is to frighten companies into change.

While the average consumer is probably barely aware of all this, GDPR fines are now at the top of many organisation’s worry list for 2020.

Sometimes, the most alarming – and significant – cybersecurity trends are the ones few people are paying attention to.