Status report on data privacy

On June 4, 2024, a hacker attack was detected on the IT infrastructure of COMBIS, Croatia. User data from customers and employees were affected and had been compromised. COMBIS reacted imediately and severed initially all connections between the IT systems in order to prevent a further spreading. Different activities, like recovering of the servers and systems were initiated. In parallel to these technical activities COMBIS informed the national Data Protection Authority (DPA) as well as the affected users.  

T-Mobile Czech Republic has been fined € 35,471 by the Czech Data Protection Supervisory Authority (DPA). The reason for this was a technical error in the processing of cookies. The cookie banner on the company's main website was running normally, but there were technical errors in the background during the further processing of the selected settings. The problem was resolved immediately after becoming aware of it.

OTE and Cosmote were fined a total of €9.25 million by the Greek data protection authority. This was triggered by a hacker attack in September 2020 and a corresponding investigation by the supervisory authority. The investigations identified, among other things, the breach of the security of the processing and the insufficient implementation of the data protection impact assessment and the information requirements. After the vulnerability became known, appropriate protective measures were taken immediately to prevent a recurrence. In the same case, the Greek Telecommunications Authority imposed a further fine of €3,2 million on Cosmote.

The Slovakian data protection authority imposed a fine totaling EUR 40,000 on Slovak Telekom. This was triggered, among other things, by the violation of principles and lawfulness for processing personal data and the insufficient implementation of the obligation to inform the data subjects before processing this data. This led to the unauthorized use of data of employees of an internal project of the two companies Slovak Telekom and T-Mobile Czech Republic. After the vulnerability became known, measures were taken immediately to prevent a recurrence.

Telekom Romania was fined by the Romanian Data Protection Authority (DPA) with a total of 13.000 € for failing to implement adequate security measures to ensure the security of personal data processing. This led to the unauthorized disclosure of the data of 99,210 customers, including their customer number, gender and telephone number, as well as unauthorized access to the personal data stored in the accounts of 413 customers. Mitigation measures have been introduced by Telekom Romania.

A programming error occurred during an online-booking process for the “MagentaEins” option at Telekom Deutschland GmbH (TDG): Contrary to the instructions of TDG, the implementing service provider designed the booking process in such a way that the customer could not book the tariff without submitting an advertising consent. 

The error was corrected as soon as it became known and the unlawfully generated consents were deleted from the systems immediately.

For the future it will be checked in an eye-to-eye dialogue and including protocols, whether the service provider follows the instructions of TDG during the implementation.

After this incident became known it was promptly reported to the authorities.
 

In the course of a “StreamOn” product campaign, Telekom Deutschland GmbH sent advertising SMS also to customers who had not given Telekom Deutschland GmbH a corresponding advertising consent. A total of around 650,000  customers were affected. The faulty dispatch is due to a technical error in the processing system. After detection of the error, new test routines were immediately established during the campaign to rule out a repetition of this situation. Already the second dispatch wave could be corrected accordingly, so that no more faulty dispatch took place. We are already in contact with the responsible supervisory authority (BfDI).

As a result of an operational error, access data to a system at T-Systems appeared on a public developer platform. An unknown person thus gained access to a so-called ticket system and copied e-mail addresses and telephone numbers of internal developers as well as of about 40 users. The ticket system is used by developers to process error messages (tickets) as part of a T-Systems cloud service. 

Our technicians closed the compromised interface as soon as it was discovered. According to ongoing analyses, service tickets were copied, in some cases also mentioning the email addresses and phone numbers of users who had reported errors.

In the meantime, the unknown attacker has been identified. Further research has shown that the data copied by the attacker was not passed on. All copied data could be deleted effectively.

Customer systems themselves were not affected. 

T-Systems has contacted the relevant data protection authorities. Affected users will be informed immediately.

In the Telekom Shop Schwentinental, a customer had data from her old device transferred to another device. This data transfer took place via a USB stick, which was handed out to the customer. The customer noticed that the USB stick contained data of other persons in addition to her own data. According to the press release, these data included private photos, names and telephone numbers of seven other persons.

Data privacy is our top priority. We are currently reviewing the process and are in contact with the responsible supervisory authority (BfDI). The defined process provides that data transfers requested by the customer from one device to another are carried out via new, unused USB sticks which the customer buys. This prevents data from third parties from being stored on the stick. We are currently investigating why this standard process was deviated from in the Telekom Shop Schwentinental. 

Due to a fault in the billing process, 4,600 customer invoices have been sent incorrectly in mid-May 2017. The customers in question have been informed and the problem has been fixed. 

The T-Systems subsidiary MMS has transferred 2.300 customers of the Cloud manager service to the latest system version. In one case there was a technical error: due to a delay in the migration process of the customers inbox, and a temporarily technical error occurring at the same time, the customer was able to access said inbox. Since the access rights of the inbox were not fully implemented at this point, the customer was able to get extended read only rights. With that he was able to access additional data from other customers from the server. This included phone number, email addresses and in some cases, physical addresses. Sensible data such as passwords or account data was not stored at the affected server. Deutsche Telekom to immediate action to avoid this technical error in the future and contacted the affected customers as well as the supervisory authorities. Telekom also contacted the initial customer to ensure that all data that was transferred by the wrongful access of the other customers data was deleted.

A member of the German Bundestag had terminated his contract with Deutsche Telekom in October 2016 and had asked to ship the final bill to a new address. Before that the bill was sent to a centralized P.O. box of the Bundestag. This P.O. Box was also the address of other members of the parliament. By switching the address for the final bill, all other addresses with the same P.O. box reference were changed to the new address of the customer. The mistake was corrected, about 35 cases where this happened were reported. The bills contain information about the chosen contract, invoice amount and other services connected to the contract (e.g. fixed line or mobile contracts, rented devices) and the address. Itemized billing was not part of this bill. The affected customers were informed.

Telekom offers an opt-out for the anonymized processing of data via Motionlogic GmbH by transmitting certain information (age group, sex, zip code). End of September 2016 we were informed by a customer that besides a secure side for the opt-out (https) there was also an unprotected side active. Telekom has put down the side immediately. The side is used by customers to give their name and mobile phone number to receive a code to disable the anonymized processing.

A technical fault on May 20, 2016, led to a malfunction in the group chat function of RCS/Message+. As a result, new participants were automatically incorporated into existing chat groups without an invitation, and could not be removed from these groups. Deutsche Telekom deactivated the chat function in RCS/Message+ as soon as it became aware of the fault, and is working on resolving the fault. The supervisory authority was notified and Deutsche Telekom is working on identifying the customers affected and informing them of the situation.

In April 2016 Telekom customers were informed in writing about the increase in data volume for MagentaMobil rate plans. Due to a manual processing error about 50 customers received a personalized letter which did not match the personalized envelope. This way recipients received information about the name and mobile phone number of another customer. Deutsche Telekom informed the customers affected and the supervisory authorities of the processing error.

• The "Kundencenter" customer center app lets Telekom customers manage their mobile and fixed-network lines on their smartphones. On March 29, 2016, on installation of the newest app version for iOS devices (version 5.3.6) in the app store, we became aware of cases in which incorrect data was displayed to users. As far as we are aware, the data that was displayed was for a single individual. Telekom is working on eliminating this error and has therefore deactivated the app and removed it from the app store. Owners of Android devices can continue to use the "Kundencenter " app as normal. The same applies to users of previous versions of the iOS "Kundencenter" app (5.3.5 or earlier). We apologize for the inconvenience and will provide a new, error-free version of the app as quickly as possible. Until then, Deutsche Telekom asks its customers to use the customer center on its website, at www.telekom.de/kundencenter.
• Between 24th and 31st March 2016 there was a technical malfunction affection services and platforms that use the so called Telekom Login service. Customers that registered with a non T-Online mail address were in few cases able to access data of other customers. Telekom temporarily disabled the affected logins and set up a hotline for customers to report any irregularities (hotline was closed on 30th June 2016, according to plan). The supervisory authorities were informed.

• A check carried out on a call center partner revealed in December 2015 that, among other things, the partner was employing a subcontractor that had not been approved and was passing customer data onto this company. This is a huge violation of the agreement on commissioned data processing. Telekom has therefore terminated the contract with the call center without notice.
• In March 2015, the "Data privacy and information protection" training course was launched for all staff in the Deutsche Telekom Group. The online course informs participants on what the law allows and what needs to be strictly complied with. It is updated every two years and is mandatory for all employees in Germany. One of its focuses is the Binding Corporate Rules Privacy, the Group's most important internal data protection policy. It also provides useful tips on the correct way of handling sensitive information and documents. The training course guarantees consistent global data protection standards when processing customer and employee data within the Deutsche Telekom Group.
• Due to a technical fault at the online customer center in charge of incidents, a single customer gained unauthorized access to another customer's data at the beginning of February 2014. That individual had access to information such as the other customer's telephone number and fault details, however, had no access to sensitive data such as passwords and bank and payment details. Deutsche Telekom took action immediately, introducing technical measures to ensure that this or similar types of fault would not occur again in future.
• In May 2014, due to a processing error, an e-mail was sent to the wrong customer address. An attachment to the e-mail contained reports on the cell phone contracts of another customer. Deutsche Telekom informed the affected customers of the incident and adjusted the processes used for sending reports.
• Thanks to a tip-off from an employee, an error was spotted in Deutsche Telekom's mobile communications portal in the assignment of contracts to online accounts (login accounts). This error meant that in certain circumstances, customers could potentially view the contract data of another customer. In order to ensure the exclusion of cases of unauthorized viewing, the affected parts of the online customer portal for mobile communications were taken offline for several hours on April 25, 2014 and only reactivated once the error had been reliably eliminated.
• In the Internet sales portal for business customers, a technical error was discovered in a link thanks to a customer tip-off. This error could lead to a customer being shown the contractual documents of another business customer upon concluding a new customer contract. This affected among other things the account details of companies and personal data of company owners, such as date of birth and ID number. 
  
  The error only occurred under certain circumstances and only for customers who called up their order confirmation by link and did not use the correct confirmation sent in parallel by e-mail. It is therefore impossible to determine how many customers were actually affected. As a precautionary measure, Deutsche Telekom is writing to all 2,107 potentially affected customers. Deutsche Telekom also informed the supervisory authorities.
• False account information for a business customer administration portal: Deutsche Telekom has accidentally sent the wrong activation link to around 120 business customers in an e-mail during a system migration. The platform on which users manage Internet domains was therefore temporarily removed from the network as a precautionary measure until the problem was resolved. Deutsche Telekom informed the affected customers.
  
  Out of all these cases, only 28 users of the new administration portal have actually used the wrong activation link. The error was noticed within a few hours, after which the DT platform was temporarily disabled to prevent unauthorized use. No damage has occurred as a result, and the data error was identified and corrected promptly.
  
  The trigger for this was a system error in which e-mails were incorrectly assigned. Even before the migration, DT asked the portal users to save and verify their e-mail addresses to make sure that only authorized users receive the activation e-mail. However, during the required transfer of e-mail addresses data was nonetheless exchanged through a system error when the data was being exported.
• While preparing for an IT system migration, it became apparent that the system in question contained personal employee data when it should only have contained anonymized data. The system was frozen and the works council immediately informed. Employees were informed on August 26, 2013.
• In June 2013, customer orders were found to have been attached to packages of hardware in a Telekom retail partner shop to reserve the hardware for customers. The error was immediately eliminated and partners were provided refresher training on data privacy.
• In mid-November 2012, human error resulted in the original versions of several customer orders and/or order confirmations being sent by a store-based sales partner to one individual customer.
• An SQL Create script was published on an Internet site with the internal contact data of Deutsche Telekom employees (name, department, unit and telephone number). The data were deleted immediately upon detection.
• At the beginning of May 2012, Deutsche Telekom found out that there was a security issue with one of their online applicant portals. An unknown attacker managed to exploit this security issue by downloading applicant documents such as CVs, references and letters from the corresponding application on the Internet.
  
  Once it had been discovered, the security issue was immediately resolved and the danger of losing further applicant data was ruled out. All types of similar applications are currently being examined. The state commissioner for data protection in North-Rhine Westphalia was informed and Deutsche Telekom has filed charges. Those affected have been notified.
• Due to a technical fault in the online customer center for the fixed network, an individual customer was able to gain unauthorized access to another customer's data at the beginning of February 2012. This customer had access to information such as the address, contact details and most recent phone bill of the other customer, including the itemized bill. Other sensitive data such as passwords and bank and payment details were not affected. Deutsche Telekom took action immediately, introducing technical measures to ensure that this kind of fault or similar faults do not occur again in future. The customer who accessed the data without authorization has received written instructions from Deutsche Telekom to delete this information, which he or she is not entitled to access, and to provide the company with written confirmation that he or she has done so.
• An unauthorized party has accessed an ImmobilienScout24 server from outside the company. Access was gained to the address and contact information, customer numbers and names of both commercial and private vendors. The data itself is largely already available on the ImmobilienScout24 website as it is the standard information included in the contact field for real estate advertisements. Data has also been taken from contact forms, such as catalog requests or inquiries. No passwords, bank details or other financial data were taken. ImmobilienScout24, a subsidiary of Deutsche Telekom, blocked the access path immediately and has since restored the security of the server attacked. Vendors and users have been notified. The company has filed charges against an unknown party with the public prosecutor's office in Berlin.
• Technical tests have shown that the Speedport W723V WLAN router, which is currently sold by Deutsche Telekom, is not appropriately preconfigured to provide sufficient data privacy and protection. With some technical effort it is possible to detect the so-called WPA key, which would enable unauthorized access to a WLAN network. After receiving these results and those of other tests conducted by the Company, Deutsche Telekom published information for its customers on the websites telekom.com and telekom.de advising customers to change all the factory pre-configured WLAN passwords for all routers. At the same time, Deutsche Telekom is preparing customer information that will be included in new deliveries of those routers that could eventually be affected by a security breach. Deutsche Telekom also contacted the router manufacturer immediately to put a process in place that will again ensure that all routers preconfigured at the factory are absolutely secure.
• Between April 14, 2011 and May 10, 2011, six e-mail messages with documents from three customers, who are claiming damages against Telekom Deutschland GmbH in court, were sent to an incorrect e-mail address, due to human error. The e-mail attachments contained copies of the disputed bills, mobile phone contracts and account statements. The bills contained addresses, customer numbers and bank details. When the error was discovered, the Company immediately asked the incorrect recipient to delete any e-mail messages that were not intended for him personally. Deutsche Telekom notified the affected customers about the incident and contacted them to ask whether they would like a new customer number.
• In mid-August 2010, a memory stick with financial information about British subsidiaries of Deutsche Telekom was lost in transport on its way to Germany. The data on the stick is encrypted. No customer data is affected.