Norwegian DPA issues reprimand to Telenor for inadequate protection of personal data

12 February 2021

The Norwegian Data Protection Authority have issued a reprimand to Telenor Norge AS for inadequate protection of personal data in its voicemail function, and for failing to submit a data breach notification to the Norwegian Data Protection Authority.

A security error has made it possible for unauthorized persons to access the voicemails of approx. 1.3 million customers by using so-called 'spoofing' services. The Data Protection Authority finds that Telenor Norge AS had not implemented satisfactory security measures. This vulnerability in the voicemail function had been known for many years.

“Unlawful hacking of voicemail inboxes using ‘spoofing’ services has been a known problem for years. We believe Telenor should have identified this vulnerability in their voicemail function at an earlier date,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Failed to submit Data Breach Notification

This vulnerability affected a large number of subscribers. Voicemail messages may contain a lot of information, and this content has been largely outside Telenor’s control. These factors indicate that Telenor’s security measures have been inadequate.

“This decision also takes account of the fact that Telenor failed to submit a data breach notification to the Data Protection Authority. We believe Telenor Norge AS should have reported the security breach to us as soon as they became aware of the vulnerability,” says Bjørn Erik Thon.

Fine issued by the Norwegian Communications Authority (NKOM)

The Norwegian Communications Authority (NKOM) formerly issued a fine in the amount of EUR 150 000 (NOK 1.5 million) for violation of the Electronic Communications Act, for the same circumstances as the Data Protection Authority has now considered. To prevent Telenor Norge AS from being penalized twice for the same offence, the Norwegian Data Protection Authority opted to issue a formal reprimand instead. 

Two violations of the Regulation

A reprimand is a punitive measure introduced by the General Data Protection Regulation, and means we have concluded that a violation of the law has occurred. In this case, we believe the following provisions of the General Data Protection Regulation have been breached:

  • Violation of Article 32 (1) of the GDPR, by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Violation of Article 33 of the GDPR, by failing to notify the personal data breach to the Data Protection Authority.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.