AEPD (Spain) - EXP202406208

Summary

Spain's data protection authority (AEPD) fined EVO Banco (now Bankinter) €240,000 for a March 2024 data breach affecting approximately 1.27 million individuals caused by an API vulnerability introduced during system migration. The bank failed to implement adequate access controls, data encryption, and integrity safeguards required under GDPR Article 5(1)(f), and initially refused to notify affected individuals. The fine was reduced 40% through voluntary payment and liability acknowledgment.

Full text

Help AEPD (Spain) - EXP202406208: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editNewer edit →VisualWikitext Revision as of 09:32, 28 April 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators587 editsmTag: Visual edit← Older edit Revision as of 07:39, 29 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators587 editsmTag: Visual editNewer edit → Line 63: Line 63: }}}} The DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients and employees data in relation to a data breach, in violation of Article 5(1)(f) GDPR.The DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients’ and employees’ data in relation to a data breach caused by a vulnerability in an API that allowed unauthorized access to personal data by a third party, affecting approximately 1.27 million individuals. == English Summary ==== English Summary == Revision as of 07:39, 29 April 2026 AEPD - EXP202406208 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Type: Investigation Outcome: Violation Found Started: 13.10.2025 Decided: Published: 08.04.2026 Fine: 240000 EUR Parties: EVO Banco, S.A. (now Bankinter S.A) National Case Number/Name: EXP202406208 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: Ainhoa Salazar Cardero The DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients’ and employees’ data in relation to a data breach caused by a vulnerability in an API that allowed unauthorized access to personal data by a third party, affecting approximately 1.27 million individuals. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 23 March 2024, a personal data breach began at EVO Banco S.A. (now Bankinter S.A.), the controller, due to a vulnerability in an API used for customer onboarding, introduced during a system migration. Between 23 and 26 March 2024, around 5 million anomalous requests were made, of which approximately 1.2 million were successful, allowing unauthorised access to personal data. On 30 April 2024, a hacker published in the Deep Web that they held a database of 1,3 Million of clients of a Spanish bank. The controller detected this post on 8 April 2024 and notified the DPA 5 days later stating that approximately 1.27 million individuals were affected. The controller considered the risk to be low and initially decided not to inform data subjects. On 18 April 2024, the DPA ordered the controller to notify affected individuals and launched an investigation. The attacker later published data relating to 958 customers and four employees. Holding First, the DPA held that the controller violated Article 5(1)(f) GDPR, as it failed to ensure the integrity and confidentiality of personal data. The breach resulted from a vulnerability in an API that allowed unauthorized access to personal data by a third party, who used the information to threaten the controller with publishing the data on the dark web. Second, the DPA found that the controller had not implemented appropriate technical and organisational measures, highlighting deficiencies such as the lack of adequate access controls and the absence of data encryption. These shortcomings enabled the breach and demonstrated a failure to prevent unauthorized access also breaching the principle of accountability of Article 5(2) GDPR. Third, the DPA emphasised the seriousness of the breach due to its scale and the nature of the data involved. The incident affected approximately 1.27 million individuals and included a wide range of personal and financial data, increasing the risk of fraud and identity theft. The DPA stressed that the comprehensive nature of the data -including both the ID of the data subjects as well as financial data such as IBANs or tax declarations could be used to construct profiles which would subsequently be used for fraudulent and identity impersonation purposes. The fine was initially set at €400,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The fine can be reduced by a further 20% if the controller acknowledges its liability. The controller opted for both and reduced the fine by 40%, paying the reduced sanction amount of €240,000. The DPA took into account both aggravating and mitigating factors, including the large-scale processing of personal data as an aggravating factor and the subsequent corporate merger as a mitigating factor. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/27 • File No.: EXP202406208 RESOLUTION TERMINATING THE PROCEEDINGS BY ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On October 13, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANKINTER, S.A. (hereinafter, BANKINTER), by means of the agreement transcribed below: << File No.: EXP202406208 AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS Based on the actions taken by the Spanish Data Protection Agency and the following FACTS FIRST: On April 13, 2024, this Agency was notified of a breach of personal data belonging to EVO BANCO, S.A., with Tax Identification Number A70386024 (hereinafter, EVO BANCO). In the notification, EVO BANCO, through the submission form on its website, states the following: What may have occurred?: Cyber incident: Unauthorized access to data in an information system (corporate or internet service) - "Temporal information: The breach began on March 23, 2024, and was detected on April 9, 2024. - Type of breach: Confidentiality. - Type of incident: Cyber incident: Unauthorized access to data in an information system (corporate or internet service). - Responsible party: Not specified. - Specifically regarding the data affected by the confidentiality breach: Is the data securely encrypted, anonymized, or protected in such a way that it is unintelligible to anyone who may have had access, or can the individuals be identified? No - Degree to which it will affect people: very limited inconveniences. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/27 - Summary of the incident: On April 8, the security teams of EVO BANCO were informed by their detection service of a publication on the Deep Web claiming to have a database of a Spanish BANK with 1.3 million clients. As a preventive measure, EVO BANCO performed a check on its systems in order to identify any possible vulnerabilities and whether said publication referred to its client database. A weakness was identified (…=, a number of anomalous queries were detected over a period of 2 days, approximately 5 million, of which 1.2 million were confirmed as successful. As soon as this situation was confirmed, in addition to proactively correcting the error (…), reinforcement and corrective measures were established, as well as fraud prevention measures, which are detailed in the attached documentation. - Data categories: Basic data (e.g., name, surname, date of birth), National Identity Document (DNI), Foreigner's Identity Number (NIE), Passport and/or any other identification document, Contact information - Number of affected parties: 1,275,049 - Categories of affected parties: Cust

Entities