A German internet service provider faces a €9.6m ($10.6m; £8m) fine after being accused of failing to carry out tough enough customer ID checks.
Germany’s data protection watchdog said anyone who called 11 Telecom could get extensive personal information about someone else solely by giving their name and date of birth.
Fraudsters can easily collect such details from social networks and elsewhere on the net.
But the firm is challenging the ruling.
It said it did not accept the decision and intended to sue the authority.
The sum represents one of the largest penalties imposed under the EU’s GDPR (General Data Protection Regulation).
11 Telecom said the fine was “absolutely disproportionate” because the regulator had based its calculations on the wider company’s sales.
On that basis “even the smallest discrepancy can result in huge fines”, its data security officer Julia Zirfas complained.
The company also noted that it was in the process of rolling out new security protocols that will involve customers having to provide a Pin code when they call in.
GDPR came into force in May 2018 giving data protection authorities the power to impose bigger penalties than before.
In the most serious cases, organisations can be fined up to €20m or 4% of their worldwide annual revenue – whichever is larger.
But regulators are supposed to take into account whether the offending body co-operated with their inquiry, any past offences and whether the infringement was deliberate or a mistake, among other factors, when deciding the amount.
- Gender identity clinic leaks patient email addresses
- Facial recognition: School ID checks lead to GDPR fine
- Teletext Holidays exposed customer calls
In this case, the BfDI (Federal Commissioner for Data Protection and Freedom of Information) acknowledged that 11 Telecom had been “transparent and very co-operative” and had also taken steps to improve its practices.
But the watchdog said the sum was still justified on the basis that its entire customer base had been put at risk.
In October, the same regulator punished a German property company with a bigger €14.5m fine for holding on to people’s personal data for longer than was necessary.
And other European counterparts have told Google, British Airways and Marriott Hotels to pay even larger sums for other GDPR-related offences.
But one data privacy expert said the latest ruling was still significant.
“It’s only the second time there’s been a multi-million euro penalty for a straightforward security issue, following a Bulgarian case,” Tim Turner, director of 2040 Training told the BBC.
“Call centres have to balance easy access for customers with sensible verification measures, and this will be a wake-up call for all organisations trying to work out how much security to face callers with.”