AEPD (Spain) - EXP202406208

Summary

Spain's Data Protection Authority (AEPD) fined EVO Banco S.A. (now Bankinter) €240,000 for a March 2024 data breach affecting approximately 1.27 million customers and employees. The breach stemmed from a vulnerability in an API used during system migration, allowing unauthorized access to personal and financial data including IBANs and tax declarations. The AEPD found violations of GDPR Article 5(1)(f) (integrity and confidentiality) and Article 5(2) (accountability) due to inadequate access controls and lack of encryption.

Full text

Help AEPD (Spain) - EXP202406208: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 12:35, 17 April 2026 view source Ainhoa (talk | contribs)2 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 12:35, 17 April 2026 AEPD - EXP202406208 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Type: Investigation Outcome: Violation Found Started: 13.10.2025 Decided: Published: 08.04.2026 Fine: 240000 EUR Parties: EVO Banco, S.A. (now Bankinter S.A) National Case Number/Name: EXP202406208 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: Ainhoa Salazar Cardero The Spanish DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients and employees data in relation to a data breach, in violation of Article 5 (1) (f) GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 23 March 2024, a personal data breach began at EVO Banco S.A. (now Bankinter), the controller, due to a vulnerability in an API used for customer onboarding, introduced during a system migration. Between 23 and 26 March 2024, around 5 million anomalous requests were made, of which approximately 1.2 million were successful, allowing unauthorized access to personal data. On 30 April 2024, a hacker published in the Deep Web that they held a database of 1,3 Million of clients of a Spanish bank. The controller detected this post on 8 April 2024 and notified the AEPD 5 days later stating that approximately 1.27 million individuals were affected. The controller considered the risk to be low and initially decided not to inform data subjects. On 18 April 2024, the AEPD ordered the controller to notify affected individuals and launched an investigation. The attacker later published data relating to 958 customers and four employees. Holding First, the DPA held that the controller infringed Article 5(1)(f) GDPR, as it failed to ensure the integrity and confidentiality of personal data. The breach resulted from a vulnerability in an API that allowed unauthorized access to personal data by a third party, who used the information to threaten its publication on the dark web. Second, the DPA found that the controller had not implemented appropriate technical and organisational measures, highlighting deficiencies such as the lack of adequate access controls and the absence of data encryption. These shortcomings enabled the breach and demonstrated a failure to prevent unauthorized access also breaching the principle of accountability of Article 5 (2). Third, the DPA emphasised the seriousness of the breach due to its scale and the nature of the data involved. The incident affected approximately 1.27 million individuals and included a wide range of personal and financial data, increasing the risk of fraud and identity theft. The DAP stressed that the comprehensive nature of the data -including both the ID of the data subjects as well as financial data such as IBANS or tax declarations- could be used to construct profiles which would subsequently be used for fraudulent and identity impersonation purposes. Finally, the DPA took into account both aggravating and mitigating factors, including the large-scale processing of personal data as an aggravating factor and the subsequent corporate merger as a mitigating factor. The controller made a voluntary payment of €240,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/27 • File No.: EXP202406208 RESOLUTION TERMINATING THE PROCEEDINGS BY ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On October 13, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANKINTER, S.A. (hereinafter, BANKINTER), by means of the agreement transcribed below: << File No.: EXP202406208 AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS Based on the actions taken by the Spanish Data Protection Agency and the following FACTS FIRST: On April 13, 2024, this Agency was notified of a breach of personal data belonging to EVO BANCO, S.A., with Tax Identification Number A70386024 (hereinafter, EVO BANCO). In the notification, EVO BANCO, through the submission form on its website, states the following: What may have occurred?: Cyber incident: Unauthorized access to data in an information system (corporate or internet service) - "Temporal information: The breach began on March 23, 2024, and was detected on April 9, 2024. - Type of breach: Confidentiality. - Type of incident: Cyber incident: Unauthorized access to data in an information system (corporate or internet service). - Responsible party: Not specified. - Specifically regarding the data affected by the confidentiality breach: Is the data securely encrypted, anonymized, or protected in such a way that it is unintelligible to anyone who may have had access, or can the individuals be identified? No - Degree to which it will affect people: very limited inconveniences. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/27 - Summary of the incident: On April 8, the security teams of EVO BANCO were informed by their detection service of a publication on the Deep Web claiming to have a database of a Spanish BANK with 1.3 million clients. As a preventive measure, EVO BANCO performed a check on its systems in order to identify any possible vulnerabilities and whether said publication referred to its client database. A weakness was identified (…=, a number of anomalous queries were detected over a period of 2 days, approximately 5 million, of which 1.2 million were confirmed as successful. As soon as this situation was confirmed, in addition to proactively correcting the error (…), reinforcement and corrective measures were established, as well as fraud prevention measures, which are detailed in the attached documentation. - Data categories: Basic data (e.g., name, surname, date of birth), National Identity Document (DNI), Foreigner's Identity Number (NIE), Passport and/or any other identification document, Contact information - Number of affected parties: 1,275,049 - Categories of affected parties: Customers / Citizens, Subscribers / Potential - Communication to affected parties: They will not be informed. - Cross-border implications: No. - Breach resolved: Yes. - Method Breach detection: Detection methods implemented proactively by the data controller or processor. - The incident has been reported to the police authorities: No. Along with the notification, the data controller attaches a report, dated April 12, 2024, with additional information on breach management, entitled “REPORT SECURITY INCIDENT EVO BANCO, S.A.” (hereinafter, the initial report), which, in summary, reveals the following: - The data controller detected the breach through a cybercrime prevention and detection service, provided by third parties, upon detecting the sale on the Deep Web of a database of the entity's clients. - The data controller considers the detected advertisement credible after verifying matches with internal encodings used (…). - The data controller detects a vulnerability generated as a consequence of (…) - (…) is used in user registration processes and grants access to a limited data record. For security reasons, access is limited externally to the data owner, or internally to a Bank manager. - (...) an error occurred that apparently affected the established limitation. - As a result of the internal investigation, the responsible party identified that

Entities