1&1 Slapped With 9.5 Million Euro Fine: Will Appeal

Tue, 17th December 2019, 13:59

The parent company of web hosting firm 1&1 says it will appeal the  €9.55 million ($10.66M USD) fine imposed on the company by the German data protection regulator, the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The investigation stemmed from a complaint in connection with their telephone customer service.

BfDI has issued a statement saying,

"In connection with their telephone customer service, the company had not taken sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information."

The investigation commenced in 2018 following a complaint from a customer whose personal mobile phone number was divulged by a 1&1's customer service rep to a former partner of the complainant. The former partner intimate knowledge of the complainant including the name and date of birth was used to garner the information requested.  According to BfDI, this was insufficient 'access control' for access to personal data.

The fine is described as being "in the lower range of possible fines" primarily because of 1&1's cooperative response to the regulator's investigation. 1&1 is arguing the fine is significant for both its size, and because it does not directly relate to the company’s computer or data systems, rather to verbal and curated access to personal data stored on those systems. In a subsequent statement, 1&1 has said that it will fight the BfDI decision:

This procedure was not about the general protection of the data stored at 1 & 1, but the question of how customers can access their contract information. The case in question already occurred in 2018. Specifically, it was a matter of calling the cell phone number of a former life partner by telephone. The responsible employee fulfilled all the requirements of the security guidelines that were valid at 1 & 1 at the time. At this point, two-factor authentication was common; there was no uniform market standard for higher security requirements. Since then 1 & 1 has continuously developed the security requirements. For example, a three-level authentication has been introduced in the meantime and in the next few days 1 & 1 - as one of the first companies in its industry - will provide each customer with a personal service PIN. 

If the fine is upheld by the courts, it will mean that many companies will need to rethink their existing customer support policies. This when even now many customers are expressing frustrations with the difficulties in obtaining telephone support, never mind adding additional hoops to jump through. Companies need to balance security with ease of use. But BfDI is not thinking of this as a one-off problem: "On the basis of its own findings, indications and customer complaints," it warns, "the BfDI is also currently investigating the authentication procedures of other service providers."

Before anyone begins to cry a river for 1&1, it’s worth pointing out that 1&1 had revenues in excess of 5B euros in 2018 and assets totalling more than 8B euros.

1&1 Internet, was founded in Germany in 1988 and later spun off to be one of the mainstay brands under the United Internet umbrella of companies. United Internet modus operandi appears to favor maintaining separate brand and management team . Besides its flagship brand 1&1, and its numerous 1&1 variants ie 1&1 Uk, 1&1 USA, United Internet's other brands include United-Domains, Fasthosts,  home.plStrato, InterNetX, Sedo and affilinet – GMX, Arsys, and WEB.DE.