€1.2M Fine for Orange Telecom: How One Employee’s Mistake Led to a Massive GDPR Penalty

A fraudster walked into an Orange store in Madrid, claiming they had lost their phone and needed a SIM card replacement. This request should have triggered strict verification procedures, after all, SIM swaps are a known entry point for fraud.

However, something went wrong. The store employee, instead of thoroughly verifying the fraudster’s identity, approved the request. No extra security checks, no challenges. Within minutes, the scammer walked out with a fully functional SIM card, one that now belonged to someone else.

At that moment, the victim’s original SIM was deactivated. Calls, messages, and most critically, banking and email authentication codes were now in the hands of the attacker.

The fraud was swift. The scammer reset banking passwords, intercepted authentication codes, and initiated unauthorized transfers. By the time the victim realized what had happened, their money was gone.

Investigation Findings

The Spanish Data Protection Agency (AEPD) investigated and identified critical failures in Orange’s security processes:

• Lack of Identity Verification: The employee approved the SIM swap without proper authentication.

• Failure to Implement Data Protection by Design: €1M fine for non-compliance with GDPR Article 25.

• Unlawful Data Processing, €200K fine for violating GDPR Article 6.

Lessons Learned: Preventing Similar Risks

• Implement Data Protection by Design any Default: Integrate robust safeguards into personal data processes from the outset and review existing processes to align with PbD and data protection principles.

• Perform Data Protection Impact Assessments (DPIAs): Evaluate risks for high-risk data processing activities and implement safeguards.

• Enhance employee training: Ensure staff can recognize fraud attempts and adhere to security protocols.

• Strengthen authentication protocols: Enforce multi-factor verification for high-risk processes.

• Regularly audit security policies: Identify weaknesses before they lead to compliance failures.

A chain is only as strong as its weakest link. This case shows how a single oversight can compromise trust, expose customers to harm, and lead to severe financial and repetitional consequences.

Is your organization prepared? Let’s reinforce your security framework before vulnerabilities turn into liabilities. Schedule a free advisory session today..