AEPD (Spain) - EXP202406208

Summary

Spain's data protection authority (AEPD) fined EVO Banco S.A. (now Bankinter) €240,000 for a March 2024 data breach affecting approximately 1.27 million individuals. The breach stemmed from an API vulnerability introduced during system migration that allowed 1.2 million successful unauthorized access attempts; the bank failed to implement adequate access controls and data encryption, violating GDPR Article 5(1)(f). The fine was initially €400,000 but reduced to €240,000 after the bank made voluntary payment and acknowledged liability under Spanish administrative law.

Full text

Help AEPD (Spain) - EXP202406208: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 12:38, 17 April 2026 view sourceAinhoa (talk | contribs)2 editsm Tag: Visual edit← Older edit Latest revision as of 09:32, 28 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators585 editsmTag: Visual edit Line 63: Line 63: }}}} The Spanish DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients and employees data in relation to a data breach, in violation of Article 5 (1) (f) GDPR.The DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients and employees data in relation to a data breach, in violation of Article 5(1)(f) GDPR. == English Summary ==== English Summary == === Facts ====== Facts === On 23 March 2024, a personal data breach began at EVO Banco S.A. (now Bankinter S.A.), the controller, due to a vulnerability in an API used for customer onboarding, introduced during a system migration. Between 23 and 26 March 2024, around 5 million anomalous requests were made, of which approximately 1.2 million were successful, allowing unauthorized access to personal data.On 23 March 2024, a personal data breach began at EVO Banco S.A. (now Bankinter S.A.), the controller, due to a vulnerability in an API used for customer onboarding, introduced during a system migration. Between 23 and 26 March 2024, around 5 million anomalous requests were made, of which approximately 1.2 million were successful, allowing unauthorised access to personal data. On 30 April 2024, a hacker published in the Deep Web that they held a database of 1,3 Million of clients of a Spanish bank. The controller detected this post on 8 April 2024 and notified the AEPD 5 days later stating that approximately 1.27 million individuals were affected. The controller considered the risk to be low and initially decided not to inform data subjects. On 18 April 2024, the AEPD ordered the controller to notify affected individuals and launched an investigation. The attacker later published data relating to 958 customers and four employees.On 30 April 2024, a hacker published in the Deep Web that they held a database of 1,3 Million of clients of a Spanish bank. The controller detected this post on 8 April 2024 and notified the DPA 5 days later stating that approximately 1.27 million individuals were affected. The controller considered the risk to be low and initially decided not to inform data subjects. On 18 April 2024, the DPA ordered the controller to notify affected individuals and launched an investigation. The attacker later published data relating to 958 customers and four employees. === Holding ====== Holding === First, the DPA held that the controller infringed [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], as it failed to ensure the integrity and confidentiality of personal data. The breach resulted from a vulnerability in an API that allowed unauthorized access to personal data by a third party, who used the information to threaten its publication on the dark web.First, the DPA held that the controller violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], as it failed to ensure the integrity and confidentiality of personal data. The breach resulted from a vulnerability in an API that allowed unauthorized access to personal data by a third party, who used the information to threaten the controller with publishing the data on the dark web. Second, the DPA found that the controller had not implemented appropriate technical and organisational measures, highlighting deficiencies such as the lack of adequate access controls and the absence of data encryption. These shortcomings enabled the breach and demonstrated a failure to prevent unauthorized access also breaching the principle of accountability of Article 5 (2). Third, the DPA emphasised the seriousness of the breach due to its scale and the nature of the data involved. The incident affected approximately 1.27 million individuals and included a wide range of personal and financial data, increasing the risk of fraud and identity theft. The DAP stressed that the comprehensive nature of the data -including both the ID of the data subjects as well as financial data such as IBANS or tax declarations- could be used to construct profiles which would subsequently be used for fraudulent and identity impersonation purposes. Second, the DPA found that the controller had not implemented appropriate technical and organisational measures, highlighting deficiencies such as the lack of adequate access controls and the absence of data encryption. These shortcomings enabled the breach and demonstrated a failure to prevent unauthorized access also breaching the principle of accountability of [[Article 5 GDPR|Article 5(2) GDPR]]. Finally, the DPA took into account both aggravating and mitigating factors, including the large-scale processing of personal data as an aggravating factor and the subsequent corporate merger as a mitigating factor. The controller made a voluntary payment of €240,000. Third, the DPA emphasised the seriousness of the breach due to its scale and the nature of the data involved. The incident affected approximately 1.27 million individuals and included a wide range of personal and financial data, increasing the risk of fraud and identity theft. The DPA stressed that the comprehensive nature of the data -including both the ID of the data subjects as well as financial data such as IBANs or tax declarations could be used to construct profiles which would subsequently be used for fraudulent and identity impersonation purposes. The fine was initially set at €400,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The fine can be reduced by a further 20% if the controller acknowledges its liability. The controller opted for both and reduced the fine by 40%, paying the reduced sanction amount of €240,000. The DPA took into account both aggravating and mitigating factors, including the large-scale processing of personal data as an aggravating factor and the subsequent corporate merger as a mitigating factor. == Comment ==== Comment == Latest revision as of 09:32, 28 April 2026 AEPD - EXP202406208 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Type: Investigation Outcome: Violation Found Started: 13.10.2025 Decided: Published: 08.04.2026 Fine: 240000 EUR Parties: EVO Banco, S.A. (now Bankinter S.A) National Case Number/Name: EXP202406208 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: Ainhoa Salazar Cardero The DPA fined a bank €240,000 for failing to ensure the integrity and confidentiality of their clients and employees data in relation to a data breach, in violation of Article 5(1)(f) GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 23 March 2024, a personal data breach began at EVO Banco S.A. (now Bankinter S.A.), the controller, due to a vulnerability in an API used for customer onboarding, introduced during a system migration. Between 23 and 26 March 2024, around 5 million anomalous requests were made, of which approximately 1.2 million were successful, allowing unauthorised access to personal data. On 30 April 2024, a hacker published in the Deep Web that they held a database of 1,3 Million of clients of a Spanish bank. The controller detected this post on 8 April 2024 and notified the DPA 5 days later stating that approximately 1.27 million individuals were affected. The controller considered the risk to be low and initia

Entities