Re:GDPR? (Score 3, Informative)

There's no way that social security numbers, dates and places of birth are required to a manage a cell phone account. Maybe to validate some Gov requirement on opening, but after that under GDPR the info should have been deleted.

Actually, in Italy mobile operators are required by law to collect and keep that data for law enforcement purposes.

However, the Italian equivalent of the social security number is not meant to be a secret and is never used as such (as it can be easily computed from the name, date and place of birth). It's also mandatory on invoices, so a lot of businesses have it. Identity theft is less of a problem in Italy, because information alone is not enough to impersonate somebody. In all sensitive situations (like opening a bank account, or even getting a SIM card) you have to show your ID card in person (and there are only a couple of valid government issued IDs).

Someone could still use that data with a bit of social engineering to get access to some accounts, probably.