• Greek operator deemed to have infringed on GDPR law in 2020 data leak.
  • Fines handed to Cosmote mobile operator and OTE Group parent.

OTE handed €9m fine for data protection failings

OTE handed €9m fine for data protection failings

Source: Fly D / Unsplash

OTE Group was hit with a combined €9.25m (£7.72m) in fines for breaches of the EU’s General Data Protection Regulation following a data leak that affected millions of customers.

The September 2020 cyberattack compromised a file containing call logs and rough positional data of around 4.2 million Cosmote subscribers, relating to data traffic over five days at the start of that month.

The operator launched an “in‑depth” investigation into the breach at the time, and made assurances that the dataset was anonymised and did not expose details such as names or banking information (Deutsche Telekomwatch, #99).

The Hellenic Data Protection Authority (HDPA) has now ruled that Cosmote and parent company OTE Group were at fault, and has levelled a fine worth €6m to Cosmote and €3.25m to OTE.

The HDPA’s investigation concluded that the operator infringed on “the principles of legality” outlined in the EU’s GDPR.

Chief among the concerns was a lack of transparency in the datasets Cosmote stores. The call log leaked in 2020 typically gets stored for twelve months for statistical analysis by the operator. However, the HDPA found Cosmote to have used “poor” anonymisation techniques, stored datasets for longer than permitted, and had not properly informed subscribers that their data was to be used in this way.

Along with the fines, the HDPA ordered Cosmote to change its data storage processes and the way it communicates with its subscribers.

The operator has not commented on the verdict.

A common enemy

Despite concerns at the time that the data breach represented a wider threat to national security given the data stored in the compromised set, OTE Group appears to have dodged more damning action from the HDPA.

Other Deutsche Telekom NatCos have faced more public scrutiny in recent years, T‑Mobile US perhaps the most prominent example. The US operator has been subject to three significant data security incidents since late‑2019, with the most recent in August last year affecting nearly 55 million users and covering details such as names, dates of birth, social security numbers, and phone numbers (Deutsche Telekomwatch, #90, #101, and #107).

In Europe, Cosmote’s 2020 data breach followed a similar incident affecting Hungary’s Magyar Telekom, although it claimed to have successfully repelled the worst of the attack (Deutsche Telekomwatch, #99).

In the same year, T‑Mobile Netherlands warned customers of a data leak at business service provider Conduent that prompted fears that T‑Mobile customer data may have been compromised (Deutsche Telekomwatch, #97).