Changeflow GovPing Data Protection S-Bank Fined EUR 1.8 Million for GDPR Violations
Urgent Enforcement Amended Final

S-Bank Fined EUR 1.8 Million for GDPR Violations

Favicon for www.edpb.europa.eu EDPB News
Filed September 8th, 2025
Detected February 11th, 2026
Email

Summary

The European Data Protection Board reports that the Finnish Supervisory Authority has fined S-Bank EUR 1.8 million for GDPR violations related to a data security vulnerability. The bank failed to implement adequate safeguards, leading to a personal data breach affecting a significant proportion of its customers.

View original document View source feed page

What changed

The Finnish Supervisory Authority (SA) has imposed an administrative fine of EUR 1.8 million on S-Bank and issued a reprimand for violations of the EU General Data Protection Regulation (GDPR). The enforcement action stems from a personal data breach that occurred in August 2022, originating from a software bug in the bank's new login functionality. This vulnerability allowed unauthorized access to customer credentials for over three months, impacting a significant portion of S-Bank's customer base. The SA found that the bank failed to conduct adequate pre-deployment testing, identify the vulnerability, and respond effectively to customer reports of anomalies, thereby breaching Articles 5.1.f, 25.1, 32.1, and 32.2 of the GDPR.

This decision highlights the critical importance of robust data protection by design and by default, as well as comprehensive security of processing measures. Financial institutions and other regulated entities must ensure rigorous testing of new functionalities and prompt responses to identified vulnerabilities and customer complaints. Failure to comply with GDPR provisions can result in substantial financial penalties and reputational damage. While no specific compliance deadline is mentioned for this past event, regulated entities should review their internal processes for software deployment and security vulnerability management to prevent similar breaches and potential enforcement actions.

What to do next

  1. Review data security protocols for new software deployments.
  2. Enhance testing procedures for authentication services.
  3. Improve customer communication channels for reporting system anomalies.

Penalties

EUR 1.8 million fine and a reprimand

Source document (simplified)

Background information

  • Date of final decision: 8 September 2025
  • National case
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default),  Article 32 (Security of processing)
  • Decision: Administrative fine, Reprimand
  • Key words: Data security, Data protection by design and by default, Administrative fine, Personal data breach

Summary of the Decision

Origin of the case

The Finnish Supervisory Authority (SA) investigated the personal data breach following a notification by S-Bank in August 2022. In April 2022, the bank had introduced a new login functionality in its mobile service. Due to a software bug in the authentication service, logging into the online bank and online services using strong authentication was possible with the credentials of other customers. The vulnerability was exploitable for more than three months. Some of the bank's customers fell victim to the data breach. In practice, the vulnerability affected a significant proportion of the bank's customers.

Key Findings

The investigation found that the bank did not have adequate safeguards in place to ensure the security of personal data. The bank had not adequately tested the new software prior to its introduction and had not identified the vulnerability before the functionality was deployed. It also failed to respond adequately to its customers communications about anomalies when logging into the online bank. The Finnish SA considers that the bank’s actions violated Articles 5.1.f, 25.1, 32.1 and 32.2 of the EU General Data Protection Regulation.

Decision

The Finnish SA imposed a fine of EUR 1,8 million on the controller and issued a reprimand for non-compliance with data protection legislation. The Finnish SA considered the fine for the data protection breach to be necessary in view of the need to protect the rights of individuals, the general importance of the case and a previous reprimand given to the bank. The SA took into account the decision of the Finnish Financial Supervisory Authority, issued in May 2025, when determining the amount of the fine, and adjusted it accordingly. The Financial Supervisory Authority had assessed the bank’s conduct in the same set of events for other infringements and imposed a fine of EUR 7 670 000 for negligence in the management of operational risks.

For further information:
Decisions concerning S-Bank by the Finnish SA in the Finlex Service (in Finnish)

Related changes

Favicon for edpb.europa.eu EDPB-EDPS Opinion on Biotech Act Privacy Implications
Priority review Mar 13, 2026 EDPB Documents (GDPR) Government
Favicon for edpb.europa.eu EDPB Letter to EC on US Entry Privacy Implications
Priority review Mar 13, 2026 EDPB Documents (GDPR) Government
Favicon for www.edpb.europa.eu EDPB Conference on Cross-Regulatory Cooperation
Routine Mar 03, 2026 EDPB News Data Protection
Favicon for www.pcpd.org.hk Hong Kong PCPD Arrests Two for Suspected Doxxing
Urgent Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Global Privacy Authorities Joint Statement on AI-Generated Imagery
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Privacy Commissioner Reports 2025 Work and Data Security Incidents
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection

Source

Favicon for www.edpb.europa.eu
EDPB News edpb.europa.eu/news/news_en
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
European Data Protection Board
Filed
September 8th, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Banks Financial advisers
Geographic scope
EU-wide

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Data Security GDPR

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when EDPB News publishes new changes.

Free. Unsubscribe anytime.