News

🔐 Personal data & security 
A loan comparator

📅 On December 17, 2024, the Finnish Data Protection Authority fined a loan comparator €950,000 for security flaws that exposed confidential data.

❌ What happened?

➡️ Personal URL links sent to customers allowed access to their loan application without authentication.
➡️ These URLs were targeted by phishing attacks, exposing :

- contact details,
- marital status,
- income,
- housing costs,
- and even information about their children.

📉 Anyone with the URL and some technical skills could access the data.

⚠️ Violations found

🔹 Article 5.1(f) GDPR - Integrity and confidentiality
🔹 Article 25 GDPR - Data protection by design and by default
🔹 Article 32 GDPR - Security of processing

📣 Decision of the Finnish SA

✅ Administrative fine: €950,000
✅ Notification order: company must inform its customers
✅ Official reprimand

🧩 To remember:

🔐 URLs without authentication = critical flaw
📲 Data security is not optional, especially when dealing with :

- revenues,
- financial information,
- personal and family data.