In December, German DP authority issued a fine of EUR 9.55 mil to 1&1, a German ISP.
The reason was an insufficiently secured access to customer personal data via their helpline due to a low standard for authentication.
Basically anybody could call in, state somebody else's name and birthday and pose as them, thus havinng access to their personal data.
The ISP claims the subject matter and the fine unconstitutional and will most likely challenge it further. The fine is, however, yet another example of the current extremely stark punishments for GDPR breaches in Western Europe.
Do you protect your personal data better?