4Finance Spain Financial Services – €360,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 10 August 2022, a data subject notified 4Finance Spain Financial Services, S.A.U. (the controller) that they had received an unsolicited loan to their bank account with the controller. By 1 September 2022, the controller had received 10 more complaints of a similar nature from clients. The controller assessed the risk levels and severity of these breaches in August, September and November of the same year using an internal method based on European Union Agency for Cybersecurity (ENISA) standards. Based on these assessments, the controller determined that it was not necessary to notify the violation to the AEPD or to affected parties. Between 3 and 23 February 2023, the AEPD received various complaints from data subjects, who were clients of the controller, alleging similar unsolicited loans to their accounts. On 14 February 2023, the controller claimed to become aware of a data breach affecting personal data of its clients and employees. The breach ultimately affected 9636 data subjects and included names, birth dates, national identification numbers, foreigner identity numbers, passport or identification document numbers, payment data (such as banks and cards) and contact information. The breach was a brute force attack that attempted different combinations of national identity numbers and emails with passwords. Once the attackers gained access to client accounts, they took out loans in the data subjects’ names, which the controller accepted and placed into client accounts. The hackers then contacted data subjects via WhatsApp, pretending to be the controller and requesting the refund of the amount to an account number controlled by the attackers. 139 of the affected data subjects were victims of this fraud. The controller notified the Spanish DPA (AEPD) of the data breach on 17 February 2023. It expressed that it did not consider the breach to pose a high risk to the rights and liberties of affected data subjects and that it thus would not communicate the bre
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 10 August 2022, a data subject notified 4Finance Spain Financial Services, S.A.U. (the controller) that they had received an unsolicited loan to their bank account with the controller. By 1 September 2022, the controller had received 10 more complaints of a similar nature from clients. The controller assessed the risk levels and severity of these breaches in August, September and November of the same year using an internal method based on European Union Agency for Cybersecurity (ENISA) standards. Based on these assessments, the controller determined that it was not necessary to notify the violation to the AEPD or to affected parties. Between 3 and 23 February 2023, the AEPD received various complaints from data subjects, who were clients of the controller, alleging similar unsolicited loans to their accounts. On 14 February 2023, the controller claimed to become aware of a data breach affecting personal data of its clients and employees. The breach ultimately affected 9636 data subjects and included names, birth dates, national identification numbers, foreigner identity numbers, passport or identification document numbers, payment data (such as banks and cards) and contact information. The breach was a brute force attack that attempted different combinations of national identity numbers and emails with passwords. Once the attackers gained access to client accounts, they took out loans in the data subjects’ names, which the controller accepted and placed into client accounts. The hackers then contacted data subjects via WhatsApp, pretending to be the controller and requesting the refund of the amount to an account number controlled by the attackers. 139 of the affected data subjects were victims of this fraud. The controller notified the Spanish DPA (AEPD) of the data breach on 17 February 2023. It expressed that it did not consider the breach to pose a high risk to the rights and liberties of affected data subjects and that it thus would not communicate the bre
Related Enforcement Actions (0)
No other enforcement actions found for 4Finance Spain Financial Services in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 May 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€360,000
GDPRhub ID
gdprhub-7874About this data
Cite as: Cookie Fines. 4Finance Spain Financial Services - Spain (2024). Retrieved from cookiefines.eu
Last updated: