The Spanish Data Protection Agency (AEPD) has imposed fines ranging from 70,000 euros to 3.94 million to the main mobile operators for violating the principle of confidentiality of their customers’ data, allowing unauthorized or unverified duplicate SIM cards, which facilitated the fraudulent practice known as the ‘SIM swapping’, which consists of generating a duplicate SIM card without the owner’s consent to access personal and confidential information and carry out account thefts and money transfers. On February 1, the Agency resolved, after more than two years of investigation, five sanctioning files that affect Vodafone, which must pay a fine of 3.94 million; Orange, with two sanctions totaling 770,000 euros; Telefónica, who will have to pay 900,000 euros and Xfera, who faces a fine of 200,000 euros.
Based on complaints from citizens made, the majority in 2019 and 2020, the AEPD initiated sanctioning procedures last year, to which it has had access Information, which have now resulted in million-dollar fines for violation of the article 5.1.f) and 5.2 of the RGPD, typified in article 83.5.a) of the RGPD and in article 72.1.a) of the LOPDGDD. The article states that personal data must be processed in such a way as to guarantee their adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures. -integrity and confidentiality-. The sanctioned companies now have two months to notify the AEPD if they intend to file Sponsored links.
Among the operators’ allegations, in this case of Orange, it is pointed out that it is erroneous to think that by obtaining a duplicate SIM card, impersonators can automatically have access to contacts and can access all applications and services that have as a key recovery procedure the sending of an SMS with a code to be able to change passwords. It highlights that if the information was always stored on the SIM cards, this data would not appear in the duplicates.
Orange points out that in many cases there is reckless behavior by the holders in the custody of their personal information
“When the impersonator goes to Orange to request the duplicate, he already has a lot of information regarding the interested party, which is necessary for the management of the request. Therefore, obtaining this information, in a presumably illicit manner, is third party liability or of the owner of the data, in many cases there is reckless behavior by the latter in the custody of their personal information”, he points out to point out the responsibility of the users and reduce the important sanction. He also points out the responsibility of the banks, ” since the confidentiality of the data processed in the SIM card duplication process was previously broken by the banking entities”.
The AEPD describes how cybercriminals operate, based on the experience against these practices of the National Police. The scam consists of several phases; In the first, the fraudsters seize the access codes to the online banking portals of the different entities through ‘phishin’, ‘malware’ or ‘pharming’ techniques. Obtained the keys, the authors request a duplicate of the SIM cards of the different victims, providing the mobile phone companies with false documentation with the intention of receiving the confirmation codes of the transferencias fraudulentas which they subsequently make to their personal accounts.
On other occasions, they also request pre-approved loans The microcredits to banking entities, in order to obtain greater economic benefit. In just two hours, cybercriminals accomplish their goals, which often prevents victims from realizing that their phone has stopped working, since their SIM card was inactive because the new duplicate card was already being used . The commission of this crime entails carrying out an entire series of criminal conduct, which begin with the offender’s access to personal information and victims bank passwords, go through the usurpation of the victim’s identity to obtain a copy of his SIM card, and end with the receipt on a mobile device of the confirmation codes necessary to authorize the transfers.
The ‘SIM swapping’ is being used with alarming frequency and has generated multiple police investigations and the initiation of procedures
It also highlights the 2021 Report of the State Attorney General’s Office and its section dedicated to ‘Computer Crime’ in which it mentions the online fraudulent actions that affect the telecommunications sector, including ‘SIM swapping’, “which has been used with alarming frequency in recent years and has generated multiple police investigations and the initiation of procedures in different territories such as A Coruna and Valencia. Its effectiveness and the ease with which criminals achieve their illicit purposes has determined the adoption by telephone operators of specific measures to prevent and strengthen the guarantees for the issuance of these cards or their duplicates”.
The resolutions of the AEPD mention as mitigating factors, which avoid a much greater sanction, the high collaboration of the companies with the Agency, the positive measures taken to mitigate the damages suffered by the interested parties, the submission to resolution mechanisms of conflicts since they have not obtained an economic benefit beyond receiving the cost price set for the issuance of duplicates of SIM cards -around five euros-. Despite everything, the Agency considers the breaches to be accredited, which constitute a very serious breach of the RGPD and highlights that the operator’s rigor in monitoring who is the holder of the SIM card or person authorized by him, who requests the duplicate, should meet strict requirements. “It is not that the information to which it refers is not contained in the SIM card, but that, if in the process of issuing a duplicate SIM card the identity of the applicant is not adequately verified, the operator would be facilitating identity theft”.