In the realm of data protection, identity verification plays a crucial role in safeguarding personal information. In this article, we explore a recent incident involving Vodafone España, shedding light on the significance of strong identity verification procedures. We’ll examine the case, discuss the consequences faced by Vodafone, and delve into best practices for verifying someone’s identity. By understanding the importance of diligent identity verification, companies can better protect sensitive information and prevent potential breaches.
On March 16, 2022, a complaint was lodged against Vodafone España with the Spanish data protection authority, the Agencia Española Protección Datos (AEPD). The complainant alleged that unauthorized individuals managed to acquire a duplicate of her SIM card from Vodafone without her consent, which was later exploited to gain access to her bank information and execute a fraudulent transfer.
Vodafone conceded that an unauthorized third party had requested a call diversion on the complainant’s line. The request was honored as the third party seemingly passed Vodafone’s security checks.
The AEPD’s ruling
Following an investigation by the AEPD, it was revealed that Vodafone España had violated personal data protection laws due to unauthorized call forwarding. The lapse was attributed to a failure in adhering to their own security policy. Specifically, the representative did not verify the identity of the caller and proceeded with call forwarding without ascertaining if the caller was the account holder.
Vodafone acknowledged procedural lapses and the occurrence of identity theft. While they stated having performed appropriate security checks, the call had not been recorded, so they could not prove their diligence. Consequently, the company was found to be in violation of Article 6 of the General Data Protection Regulation (GDPR), which mandates lawful processing of personal data, and was fined with a €56,000 sanction.
It is worth mentioning that this is not an isolated enforcement action; the AEPD has a history of imposing fines for failures in identity verification. For instance, last year, we reported on Decision 476, wherein an electricity provider faced penalties for inadequately verifying the identity of one of its consumers. This lapse allowed an impersonator to manipulate and increase the contract price for the affected consumer.
How to verify someone’s identity
In light of such incidents, it is imperative for data controllers to exercise diligence in verifying the identity of data subjects prior to divulging or altering any information, or performing any modification in the contract of their consumers. This naturally leads us to the question – what are the best practices for verifying someone’s identity?
Although there are no hard rules on the topic, the data protection authority of the Baden-Württemberg state in Germany has published some recommendations. Some of the methods mentioned by the authority are the following:
- Request for Additional Information: The responsible party may ask for supplemental details such as birthdate or address to verify that they are speaking with the right person. In the case of banking, it is common to ask for „secret“ information, like a previously set PIN.
- Submission of Identification Document: Data subjects can be asked to provide a copy of their ID for verification purposes. Only the name, address, date of birth and period of validity are regularly required for identification purposes, while all the other data can be blacked out. Please note that the copy of the ID card is used exclusively for identity verification, but generally may not be included in the database of the controller.
- Identification via eIDAS Service: Refers to the identification method as per Regulation (EU) No 910/2014. It can consist on, for example, the online identification function of the electronic identity card or a qualified electronic signature.
- Videocall Verification: Conducting a video chat wherein the image of the individual and their ID are reviewed.
- Identification via User Account: Wherein a data subject logs into a previously created user account.
Please note that all identification methods have their advantages and disadvantages, and not all of them are suitable for every situation. For instance, relying on verification through commonly known information like addresses or birth dates does not offer sufficient security for many operations. Data controllers should consistently assess the most appropriate method for each specific case, taking into account the nature of the information to be provided, the potential ramifications of misidentification, and the proportionality of the identification method in relation to the requested action.
As data protection continues to evolve, vigilance in identity verification remains a linchpin in safeguarding personal information. Companies, regardless of size or industry, should judiciously assess and employ the most appropriate identification methods proportionate to the sensitivity of the information and the potential ramifications of misidentification. After all, a proactive approach today can mitigate the risks and consequences of tomorrow.