AEPD (Spain) - EXP202305035
Spain's AEPD fines Orange Espagne €230K for weak eSIM security enabling identity theft.
Summary
Spain's data protection authority (AEPD) fined Orange Espagne €230,000 for violating Article 32 GDPR after the company failed to maintain adequate security controls around eSIM duplication requests. An attacker successfully exploited weaknesses in Orange's identity verification process, circumventing security checks and obtaining a duplicate eSIM despite an internal identity theft warning that did not prevent employee issuance. The DPA found this was not an isolated incident but a systemic weakness in the company's security policy.
Full text
Help AEPD (Spain) - EXP202305035: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 09:01, 31 March 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators535 edits Tag: submission [1.0] Latest revision as of 12:40, 31 March 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators535 editsmTag: Visual edit Line 66: Line 66: === Facts ====== Facts === Orange Espagne S.A.U. (the controller) is a telecommunications company. In 2023, a third person made several attempts to request a duplicate of a data subject’s eSIM. According to the controller, the third person was able to circumvent its security policy by knowing the data subject’s information, but was failed to activate the eSIM as they did not answer the controller’s random questions correctly. The third person, however, was able to change the email address associated with the eSIM. The controller noted that the third person also used a manipulated copy of the data subject’s ID with a different picture, and the controller issued an internal warning regarding the data subject’s identity theft. Nonetheless, the third person was able to later request a new eSIM duplicate and activate it.Orange Espagne S.A.U. (the controller) is a telecommunications company. In 2023, a third person made several attempts to request a duplicate of a data subject’s eSIM. According to the controller, the third person was able to circumvent its security policy by knowing the data subject’s information, but failed to activate the eSIM as they did not answer the controller’s random questions correctly. The third person, however, was able to change the email address associated with the eSIM. The controller noted that the third person also used a manipulated copy of the data subject’s ID with a different picture, and the controller issued an internal warning regarding the data subject’s identity theft. Nonetheless, the third person was able to later request a new eSIM duplicate and activate it. The data subject brought a complaint to the DPA, after receiving notifications from their bank regarding fraudulent transactions, and losing phone coverage. The data subject stated that the controller did not inform them of the failed eSIM duplication requests, or of the internal warning on identity theft. The controller argued that there was a pending criminal investigation relating to the case, and that the DPA could not investigate the criminal proceedings were closed, in accordance with national law. In addition, the controller argued that its security policy prevented several attempts to duplicate the data subject’s eSIM.The data subject brought a complaint to the DPA, after receiving notifications from their bank regarding fraudulent transactions, and losing phone coverage. The data subject stated that the controller did not inform them of the failed eSIM duplication requests, or of the internal warning on identity theft. The controller argued that there was a pending criminal investigation relating to the case, and that the DPA could not investigate the criminal proceedings were closed in accordance with national law. In addition, the controller argued that its security policy prevented several attempts to duplicate the data subject’s eSIM. === Holding ====== Holding === The DPA first dismissed the controller’s argument regarding the pending criminal investigation. The DPA stated that the two cases involved different parties being investigated (the controller for the DPA, the third person for the criminal case), and that the scope was different. Therefore, there was no need for the DPA to wait for the outcome of the criminal proceedings.The DPA first dismissed the controller’s argument regarding the pending criminal investigation. The DPA stated that the two cases involved different parties being investigated (the controller for the DPA, the third person for the criminal case), and that the scope was different. Therefore, there was no need for the DPA to wait for the outcome of the criminal proceedings. The DPA found a violation of [[Article 32 GDPR|Article 32 GDPR]], as the controller failed to ensure security of processing. The DPA noted that the controller issued an internal warning after detecting a case of identity theft. This, however, did not prevent an employee from later issuing a duplicate eSIM. Therefore, the measures were not effective. The DPA emphasised that this was not an isolated incident, but rather a general weakness in the controller’s security policy.The DPA found a violation of [[Article 32 GDPR]], as the controller failed to ensure security of processing. The DPA noted that the controller issued an internal warning after detecting a case of identity theft. This, however, did not prevent an employee from later issuing a duplicate eSIM. Therefore, the measures were not effective. The DPA emphasised that this was not an isolated incident, but rather a general weakness in the controller’s security policy. The DPA fined the controller €230,000, and ordered the controller to ensure that its processing activities complied with the requirements under [[Article 32 GDPR|Article 32 GDPR]].The DPA fined the controller €230,000, and ordered the controller to ensure that its processing activities complied with the requirements under [[Article 32 GDPR]]. == Comment ==== Comment == Latest revision as of 12:40, 31 March 2026 AEPD - EXP202305035 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 32 GDPR Type: Complaint Outcome: Upheld Started: 27.02.2023 Decided: Published: 30.03.2026 Fine: 230,000 EUR Parties: Orange Espagne S.A.U. National Case Number/Name: EXP202305035 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined a telecommunications company €230,000 for issuing a duplicate eSIM card to a third party without the data subject’s consent. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Orange Espagne S.A.U. (the controller) is a telecommunications company. In 2023, a third person made several attempts to request a duplicate of a data subject’s eSIM. According to the controller, the third person was able to circumvent its security policy by knowing the data subject’s information, but failed to activate the eSIM as they did not answer the controller’s random questions correctly. The third person, however, was able to change the email address associated with the eSIM. The controller noted that the third person also used a manipulated copy of the data subject’s ID with a different picture, and the controller issued an internal warning regarding the data subject’s identity theft. Nonetheless, the third person was able to later request a new eSIM duplicate and activate it. The data subject brought a complaint to the DPA, after receiving notifications from their bank regarding fraudulent transactions, and losing phone coverage. The data subject stated that the controller did not inform them of the failed eSIM duplication requests, or of the internal warning on identity theft. The controller argued that there was a pending criminal investigation relating to the case, and that the DPA could not investigate the criminal proceedings were closed in accordance with national law. In addition, the controller argued that its security policy prevented several attempts to duplicate the data subject’s eSIM. Holding The DPA first dismissed the controller’s argument regarding the pending criminal investigation. The DPA stated that the two cases involved different parties being investigated (the controller for the DPA, the third person for the criminal case), and that the scope was different. Therefore, there was no need for the DPA to wait for the outcome of the criminal pro