Important sanction by the AEPD to the main telecommunication companies for allowing fraudulent SIM card duplication

Important sanction by the AEPD to the main telecommunication companies for allowing fraudulent SIM card duplication

The Spanish Data Protection Agency (AEPD) has simultaneously fined the four major telecommunications operators for incidents that several of their customers have reported to the public body after suffering SIM swapping to empty their bank account.

The AEPD publishes several resolutions in which it compiles the cases of SIM swapping that citizens have denounced since 2019 to the entity and concludes that the operators have not diligently protected the personal data of their customers by not applying the necessary mechanisms to verify the identity of the holder when issuing a duplicate SIM card. According to the agency, the SIM card is associated with a unique number that identifies its holder, which is personal data that can only be provided to its owner.

Movistar will have to pay a total of 900,000 €. Orange faces two fines, the first amounting to 700,000 € to which must be added 70,000 € for complaints from customers of its second brand Simyo. MásMóvil will have to pay €200,000 for problems reported by Yoigo customers.

In the case of Vodafone, the AEPD has been particularly severe, imposing the highest fine of all, €3,940,000. The operator blamed the offenders and human failures of its employees, but the agency concludes that the company was negligent in taking corrective measures only at the time the AEPD initiated the investigation.

In the resolutions published by the AEPD it is reported that the affected users suffered transfers from their bank account and other accounts of which they were holders of up to €30,000, transfers of up to €500 through Bizum or obtaining loans of up to €43,000 in their name. In some cases, the criminal phoned the victim posing as their operator to obtain the necessary data.

Vodafone has been the only ‘teleco’ that has reacted against the decision of the AEPD and, in a statement, has labeled the fine as “disproportionate” and “inappropriate” as it considers that it is not responsible for the banking crimes that were perpetrated against the users of its telephone lines, holding the security systems of these entities responsible for what happened.

How the SIM Swapping works

The fraud known as SIM swapping consists of criminals falsifying the documentation of the holder of a mobile line in order to obtain a duplicate SIM card. To do this, they present themselves at an operator’s store with falsified documentation based on the customer’s personal data. They usually present a false police report that they have been victims of the theft of the cell phone and wallet with the original documentation, attaching a photocopy of the ID card with the photo changed to that of the offender who shows up at the store. The objective is to take control of the mobile line, so that when making a bank transaction such as a transfer, they receive the authorization code necessary to complete it.

For SIM swapping to be successful, they must have previously obtained the victim’s personal and bank account access data through phishing, as with the famous fraudulent SMS. In the reports collected by the AEPD, it is shown how the first sign detected by the victim is that his cell phone is out of coverage, since the operator starts to provide service to the duplicated SIM, deactivating the original one.

From Letslaw we will be attentive to new resolutions of the AEPD on SIM swapping and any other practices contrary to the regulations on data protection, to keep our customers informed of any developments in this regard.