Outcomes - Selected Case Summaries



No personal data on reissued SIM cards

Informal Resolution | 02 May 2022

A complainant alleged that a telecoms company sold a SIM card containing his personal data to a third party, allowing the latter to access the former’s data. The third party then used the data for personal reasons, including contacting persons on WhatsApp groups and other social media platforms such as TikTok, to which the phone number was registered.

Our investigation concluded that the complaint did not have any merit as the company does not resell SIM cards.  Instead, where a phone number is assigned and remains dormant for 90 days or greater, the number (not the SIM card) is returned to the pool of phone numbers and is available for reassignment. In any event, newly issued SIM cards do not contain any personal data related to the previous owner. Consequently, the third-party customer could not have accessed the complainant’s personal data in the manner described.

To reduce the risk of a similar incident happening in the future, we recommended that the Complainant implement controls to secure personal data on third-party app profiles. For instance, enabling an extra layer of security to log into the account (i.e. two-factor authentication) or registering for the apps using a personal email address that cannot be reassigned.