Vodafone Faces €45 Million GDPR Fine Over Partner Fraud and Security Issues
The Federal Institute for Digital Infrastructure (BfDI) has imposed fines totaling €45 million on Vodafone GmbH. These penalties arose due to fraudulent activities committed by employees in partner agencies who broker contracts on Vodafone’s behalf. The fraud involved fictitious contracts and unauthorized contract changes that harmed customers.
Vodafone was found €15 million for failing to adequately monitor and control its partner agencies in compliance with data protection law, specifically Article 28(1) sentence 1 of the GDPR. Additionally, the BfDI issued a warning for vulnerabilities found in some of Vodafone’s distribution systems, violating Article 32(1) GDPR, which requires appropriate security measures.
A further €30 million fine was levied due to security weaknesses in the authentication process of Vodafone’s “MeinVodafone” online portal and hotline. These vulnerabilities allowed unauthorized third parties to access eSIM profiles. Vodafone has since improved and replaced certain processes and systems to mitigate these risks and revised its partner agency selection and auditing procedures. The BfDI plans a follow-up audit to verify the effectiveness of these measures.
Prof. Dr. Specht-Riemenschneider highlighted Vodafone’s full cooperation during the investigation and noted the company’s commitment to data protection. Vodafone has prioritized IT modernization and compliance projects, strengthened privacy practices, and donated several million euros to organizations promoting data protection, media literacy, and combating cyberbullying. The BfDI stresses that data protection violations must be sanctioned but also believes companies should be empowered to prevent breaches, turning data protection into a competitive advantage.