News

🇫🇮🔐 Finland – Banking Sector: when 47 minutes cost €865,000
Personal data breach following a change in authentication software settings

📌 Key facts:

❗ Issue: When two or more customers logged in simultaneously to the strong identification service, they were able to access third-party data (name, personal data, health, financial information, social benefits), with the possibility to perform transactions.
Service involved: strong electronic identification (e-ID) using bank credentials, used to access third-party services (authorities, funds, insurance, healthcare, etc.).
Not affected: direct access to online banking.
🧑‍🤝‍🧑 Data subjects: approx. 350 customers.
🕒 Timeframe: from 09:03 to 09:50 on 24 January 2023.

💶 Sanction: €865,000 fine + strong reminder of security and testing obligations. Decision not final (the bank is appealing).

🚨 GDPR violations identified:

·       Article 5(1)(f): integrity & confidentiality not ensured → misidentification allowed potential access to third-party data.
·       Article 25(1): lack of data protection by design and by default → technical change without adequate risk analysis or testing.
·       Article 32: insufficient technical & organisational measures → change management, testing, automated controls and monitoring not aligned with the level of risk.

⚙️ Key message for banks & e-ID providers:
🧩 A single poorly managed technical change in an identification service can be enough to:

·       compromise trust,
·       expose highly confidential data,
·       reveal the absence of proper end-to-end testing,
·       show a failure to apply privacy by design / by default.