S-Bank Plc – €1,800,000 Fine (Finland, 2025)

The controller is a bank, S-Bank Plc, which in 2022 introduced a new login functionality for their app, S-Mobile. Between 20 April 2022 and 5 August 2022, due to a software error, some customers were able to log in S-Mobile with another customer's online banking credentials and to make payments from another customer's account. The incident affected a significant number of customers, causing financial loss to some of them. The controller informed the DPA (Data Protection Ombudsman-Tietosuojavaltuutetun toimisto) about the data breach, which initiated investigations. The controller claimed that it had implemented the technical and organisational measures required by Article 25 and Article 32 GDPR, and that the vulnerability in question was of such nature that it was very difficult to detect and identify. The controller considered that it would not have had the opportunity to act otherwise. In any case, according to the controller, the liability for the functionality of the authentication service lies entirely with the its processor, the service provider. First, the DPA found that the controller did not have appropriate technical and organisational safeguards in place to prevent third parties from accessing personal data. The login method bug could not be considered so atypical and exceptional that its detection would have been unreasonably difficult for the controller. If the controller had properly tested the functionality in a sufficiently comprehensive manner as required by Article 32(1) GDPR, taking into account the risks involved in the processing, it could have identified the error. In addition, the measures taken by the controller after the introduction of the new software have not been adequately adapted to the risks of the processing. Second, it pointed out that the controller was overall responsible for breaches caused by its processor. Third, the DPA concluded that the controller violated Article 5(1)(f) GDPR, Article 25(1) GDPR and Article 32(1) G