The Hellenic Data Protection Authority (HDPA) in Greece on Jan. 27 fined mobile phone operator Cosmote and its parent company OTE a total of 9.25 million euros (U.S. $10.6 million) for a data breach caused by a September 2020 cyberattack and for illegally processing customer data.

Cosmote was fined €6 million (U.S. $6.9 million) for failing to protect a file containing the call histories of thousands of customers from hackers, while OTE was penalized €3.25 million (U.S. $3.7 million) for failing to provide the necessary security infrastructure to prevent such an attack from happening. The HDPA announced the sanctions in English via press release Jan. 31.

The stolen data in the September 2020 attack included phone numbers, call records, customer age and gender information, and subscriber mobile tariff plans, according to an announcement from Cosmote. The file did not contain call or message content, names or addresses, passwords, or information relating to customers’ credit cards and bank accounts.

Over a six-year period, Cosmote retained call data for 90 days as part of its customer service policy to check for network problems. The data then became anonymized and retained for 12 months so the company could hone and better market its services.

The HDPA found Cosmote breached Greek data privacy laws and the European Union’s General Data Protection Regulation (GDPR) by failing to be transparent about why the data was retained, how it was used, and for failing to take sufficient measures to protect it. The regulator said more than 10 million subscribers and users had their data illegally processed.

In addition to the fines, the HDPA ordered Cosmote to stop further illegal data processing and destroy the data it collected.

In an emailed statement, OTE said it “implemented and implements all the available measures for securing its infrastructure,” adding it self-reported the cyberattack to the data regulator upon detection and cooperated with the investigation.

The company added, “Cyberattacks occur on an everyday basis across the globe, targeting the technology systems of companies, organizations, and institutions. OTE Group refutes every month more than 500,000 malicious third-party attacks on its systems.”

The two fines are the largest imposed under the GDPR in Greece, according to the GDPR Enforcement Tracker.

Telecommunications firms have been a recurring target for penalties under the GDPR across multiple EU countries. They have also been among the hardest hit by fines.

The Spanish DPA on Feb. 1 fined several telecoms under the GDPR, including a €3.94 million (U.S. $4.5 million) penalty for Vodafone, a €900,000 (U.S. $1.03 million) fine for Telefonica Moviles, and fines worth €700,000 (U.S. $800,000) and €70,000 (U.S. $80,000) for Orange.

Emily Cox, head of media disputes at law firm Stewarts, said it is no surprise telecoms have been the subject of so many GDPR fines given the sheer size of their client bases and the millions of sensitive communications they host. She added, “As with the technology sector, it is troubling both security and processes continue to be an issue. These fines are not just the product of unfortunate cyberattacks.”