German data protection regulator issues €9.5m fine for security failings

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has issued 1&1 Telecom with a €9,550,000 fine for security failings (English translation) in its customer services department. BfDI found that 1&1 had not put in place appropriate organisational and technical measures (Article 32 of GDPR) to ensure customer data was protected after it discovered that it was possible to get information about any customers just by using name and date-of-birth.

Verifying a customer’s identity is something that is a challenge for a lot of businesses whether you’re dealing with customer services or making sure you’re dealing with the right person when actioning a subject access request. And don’t think it doesn’t matter, or who would be trying to trick you into thinking they’re someone else, it does happen and we know of cases where organisations, estranged partners of the customer, etc. have attempted to disguise their real identity in the hope of getting access to another person’s personal data via a service provide.

We get asked a lot about what’s the best way to verify identity of someone, so here’s a quick list of ways you can check. But don’t pick just one, use a combination and you should use as many of these as possible to convince yourselves that you really are dealing with the person you think you are:

  • The obvious one is to ask for the contact name and address on the account. However, this isn’t full proof as these details can easily be found in the public domain or phished or social engineered
  • Proof of identity by using official documentation, although this again is not failsafe, particularly if someone has access to such paperwork (e.g. lives in the same property)
  • Ask how the account is paid and the last x digits of the account number
  • Use a passphrase or code for the account. You’ve probably been asked for this kind of thing yourself and whilst they can be a pain (it’s another password to remember) if you randomly select characters from the code when you’re dealing with someone then this is a good way to determine you’re talking to the account holder

You’ll also need to be mindful that you’ll need to adapt your approach to the different ways you communicate with someone. So for example, if someone calls in, then asking for x characters from the passphrase or pin on account can easily be asked, but maybe that’s not an appropriate when dealing with a query via email where you may need to call them up or ask for a different set of identifying information.

Leave a comment