Medion fined for SIM-swap code breaches

Medion Australia has paid a penalty of nearly $260,000 for not complying with customer identification rules.

Announcing the $259,440 penalty, the Australian Communications and Media Authority said the breach resulted in a number of people falling prey to SIM-swap scams.

ACMA’s investigation found 1600 cases where SIM-swap requests were completed without the customer verification check, along with one password reset request.

“These compliance failures led to nine known cases of people having their SIMs swapped illegally, five of whom suffered financial losses totalling over $160,000," ACMA said.

Last year, ACMA introduced new rules designed to prevent the scam.

The rules require telcos to conduct a “multi-factor identity authentication check” before risky actions like SIM-swaps, changes to accounts, or personal information disclosure.

ACMA Chair Nerida O’Loughlin said that the rules had been very effective in stamping out SIM-swap fraud, which made Medion’s non-compliance stand out.

“In this case, criminals have taken advantage of Medion’s compliance failures,” she said. 

“The rules have now been in place for well over 12 months, so telcos have had more than enough time to ensure they have robust verification processes.” 

It’s not the first time Medion has drawn the ACMA’s attention.

In May 2021, the company was among a number of telcos warned for non-compliance with the authentication regime in place for porting numbers between carriers; other carriers the ACMA criticised at the time included Telstra and Optus.

In the current case, the ACMA has also accepted a two-year court enforceable undertaking from Medion, in which it has committed to appoint an independent consultant to review its compliance with customer ID rules.

Medion must also “report regularly to the ACMA on its progress”, ACMA said in a statement.