Background information
- Date of final decision: 8 September 2025
- National case
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default), Article 32 (Security of processing)
- Decision: Administrative fine, Reprimand
- Key words: Data security, Data protection by design and by default, Administrative fine, Personal data breach
Summary of the Decision
Origin of the case
The Finnish Supervisory Authority (SA) investigated the personal data breach following a notification by S-Bank in August 2022. In April 2022, the bank had introduced a new login functionality in its mobile service. Due to a software bug in the authentication service, logging into the online bank and online services using strong authentication was possible with the credentials of other customers. The vulnerability was exploitable for more than three months. Some of the bank's customers fell victim to the data breach. In practice, the vulnerability affected a significant proportion of the bank's customers.
Key Findings
The investigation found that the bank did not have adequate safeguards in place to ensure the security of personal data. The bank had not adequately tested the new software prior to its introduction and had not identified the vulnerability before the functionality was deployed. It also failed to respond adequately to its customers communications about anomalies when logging into the online bank. The Finnish SA considers that the bank’s actions violated Articles 5.1.f, 25.1, 32.1 and 32.2 of the EU General Data Protection Regulation.
Decision
The Finnish SA imposed a fine of EUR 1,8 million on the controller and issued a reprimand for non-compliance with data protection legislation. The Finnish SA considered the fine for the data protection breach to be necessary in view of the need to protect the rights of individuals, the general importance of the case and a previous reprimand given to the bank. The SA took into account the decision of the Finnish Financial Supervisory Authority, issued in May 2025, when determining the amount of the fine, and adjusted it accordingly. The Financial Supervisory Authority had assessed the bank’s conduct in the same set of events for other infringements and imposed a fine of EUR 7 670 000 for negligence in the management of operational risks.
For further information:
• Decisions concerning S-Bank by the Finnish SA in the Finlex Service (in Finnish)