Vodafone fined €45 million by German regulator over major data protection failures

Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a €45 million ($51.4 million) fine on Vodafone GmbH, the German subsidiary of the British telecommunications firm, citing severe breaches of privacy and security regulations.

The fine includes €15 million for Vodafone’s failure to properly oversee its partner agencies. According to BfDI, employees within these partner agencies fraudulently altered customer contracts or created fictitious agreements, leading to financial and privacy risks for affected consumers.

An additional €30 million penalty was levied due to authentication weaknesses in Vodafone’s customer platforms, specifically the MeinVodafone portal and customer hotline. These vulnerabilities reportedly allowed unauthorized access to customer eSIM profiles, exposing sensitive user data.

BfDI Commissioner Prof. Dr. Louisa Specht-Riemenschneider emphasized that regulatory action is necessary when data breaches occur. She acknowledged Vodafone’s full cooperation throughout the investigation, stating the company voluntarily disclosed incriminating information and has since taken corrective measures.

In response to the violations, Vodafone has revamped its internal processes and technical systems, enhanced the selection and monitoring of partner agencies, and severed business ties with those involved in fraudulent conduct. The company has also made financial contributions totaling several million euros to organizations focused on data protection, digital education, and cyberbullying prevention.

Vodafone, one of the world’s largest telecom providers, operates in 15 countries and serves more than 330 million customers globally. Its financial technology services reach nearly 83 million customers across seven African nations. The company has not yet issued a public statement regarding the penalties.