(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Uncategorized
/
Administrative fine of 1.8 million euros imposed by the Finnish Data Protection Authority on S-Bank for data security vulnerability

Administrative fine of 1.8 million euros imposed by the Finnish Data Protection Authority on S-Bank for data security vulnerability

img 210 Views

       The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine of 1.8 million euros imposed by the Finnish Data Protection Authority (SA) on the company S-Bank for violating Article 5 (Principles related to the processing of personal data), Article 25 (Data protection by design and by default) and Article 32 (Security of processing) of the GDPR.

       Following the notification sent by S-Bank in August 2022, the Finnish SA initiated an investigation into a security breach that affected a significant number of the bank’s customers. The vulnerability appeared in April 2022, with the launch of a new authentication mechanism. Due to a software error in the authentication service, logging into online banking and accessing digital services using strong authentication was possible using the login details of other customers. This technical failure remained exploitable for more than three months, and some customers were directly affected.

       Following the investigation, it was found that the bank lacked adequate security measures and appropriate technical and organizational controls. Deficiencies include: insufficient testing of new functionalities before implementation; failure to identify vulnerabilities during development and testing, and inadequate response to customer reports of authentication anomalies.

       In this context, the Finnish SA imposed an administrative fine of EUR 1.8 million on the controller for violating the provisions of Articles 5(1)(f), 25(1), 32(1) and 32(2) of the GDPR and issued a reprimand for non-compliance with data protection legislation.

       When determining the amount of the fine, the Finnish SA took into account the need to protect the rights of the individuals concerned, the overall seriousness of the incident, as well as the fact that the bank had previously been warned about its obligations. The fine was also adjusted in the context of a separate sanction issued in May 2025 by the Finnish Financial Supervisory Authority, which imposed a fine of 7,670,000 euros on S-Bank for deficiencies in operational risk management in relation to the same set of events.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

img
Newsletter No. 24

I. Information and training activities carried out by NCPDP        In the last quarter of 2025 (October – December), the National Center for the Protection of Personal Data (NCPDP) continued to register important developments in the achievement of its objectives, placing particular emphasis on planning and carrying out activities aimed at informing and […]

img 19 Views
img
Participation of representatives of the National Centre for the Personal Data Protection in the 65th meeting of the Bureau of the Committee of Convention 108

       From 18–19 March 2026, representatives of the National Centre for the Personal Data Protection (NCPDP) attended the 65th meeting of the Bureau of the Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108) – TPD-BUR, held in Paris, France.        The […]

img 16 Views
img Video gallery
img Information