13/2018 (2) SIM swap attack

A data subject notified the data controller (a mobile-phone network operator) that a SIM card swap was requested and authorised on her mobile-phone account by an unauthorised third party.

The data subject was concerned because her mobile-phone number had been used to receive text messages for two-factor authentication from her bank in relation to her banking service. Further investigation undertaken by the data controller indicated that an unknown third party had obtained limited personal data belonging to the data subject by some external means and had managed to pass the controller’s identity-validation processes. The customer-service agent for the data controller did not follow the validation process fully, and facilitated a SIM card swap on the customer’s account contrary to the controller’s policy. The breach would not have occurred had the controller had more robust processes preventing access to key account information and the customer-service agent had received sufficient data protection training, including on the risks posed to customer personal data by deviating from the company’s validation policy.