On September 10, 2025, Finland’s Data Protection Ombudsman issued an administrative fine of €1.8 million to S-Pankki for a serious security flaw in its S-Mobiili mobile banking app. The vulnerability, which was present from April to August 2022, enabled users to access the bank’s online services and other platforms requiring strong authentication using another customer’s credentials. This exposed a substantial number of S-Pankki’s customers to risks of data breaches and financial fraud. The case highlights ongoing challenges in securing digital financial services under the EU’s General Data Protection Regulation (GDPR).
Background: S-Pankki and the Role of S-Mobiili
S-Pankki, part of the S-Group retail cooperative, provides banking services to more than three million customers in Finland. The S-Mobiili app integrates banking functions with loyalty programs and retail features, aiming to offer seamless digital experiences. However, the rollout of a new login feature in April 2022 introduced a software bug that allowed unauthorized access to accounts, potentially compromising transaction details, balances, and personal information. S-Pankki self-reported the issue to the Data Protection Ombudsman in August 2022, after it had persisted for several months.
The Breach & Key Failures Identified
The flaw in the authentication system permitted cross-access to strongly authenticated services beyond S-Pankki’s own platforms, leading to actual instances of fraud and financial losses for some customers. The Ombudsman’s investigation uncovered several shortcomings:
- Inadequate Testing: The new login system was not thoroughly vetted before deployment, overlooking the critical bug.
- Slow Reaction to Reports: Customer complaints about login irregularities were not promptly addressed, prolonging the exposure.
- Weak Security Measures: S-Pankki did not implement sufficient protections for personal data, breaching GDPR requirements for technical and organizational safeguards.
Deputy Data Protection Ombudsman Annina Hautala noted that banks must prioritize security given the severe consequences of data misuse in financial contexts.
S-Pankki’s Response: Addressing the Fallout
S-Pankki described the issue as a rare and hard-to-detect error from a third-party supplier. The bank stated it fixed the vulnerability right after discovery, reimbursed affected customers for losses, and has since enhanced its security protocols. It also cooperated fully with the investigation.
Reports suggest a 16-year-old discovered the flaw and warned S-Pankki, but the alert was initially overlooked. The teen and associates then exploited it, stealing over €1 million before the bank acted decisively. This raises questions about S-Pankki’s handling of external reports.
Regulatory Context: Dual Penalties for S-Pankki
This GDPR fine follows a €7.67 million penalty from Finland’s Financial Supervisory Authority (FIN-FSA) for related operational risk failures, totaling nearly €9.5 million—one of the largest in Finnish banking history. Such combined sanctions reflect intensified oversight of digital risks in finance.
GDPR Framework: Core Principles and Enforcement
The GDPR, effective since May 2018, sets strict standards for handling personal data across the EU, including Finland. Key to this case is Article 32, which requires organizations to implement appropriate security measures to protect data against unauthorized access, loss, or alteration. Violations can result in fines up to €20 million or 4% of global annual turnover, whichever is higher.
In Finland, the Data Protection Ombudsman oversees enforcement, with the Sanctions Board deciding on administrative fines. The regulation emphasizes accountability, requiring data controllers like S-Pankki to conduct risk assessments and maintain records of processing activities. Non-compliance, as seen here, can lead to significant penalties, especially when breaches affect sensitive financial data. GDPR also mandates prompt breach notifications—within 72 hours—and rights for individuals to access or erase their data. This framework aims to foster trust in digital services while deterring negligence through robust penalties.
Other GDPR Fines in Finland: A Comparative Overview
Finland has seen a steady increase in GDPR enforcement, with the Data Protection Ombudsman issuing fines across sectors. Below is a table summarizing notable administrative fines from 2020 to 2025:
| Year | Company | Fine Amount (€) | Violation Summary |
|---|---|---|---|
| 2020 | Taksi Helsinki Oy | 72,000 | Failure to assess risks in data processing |
| 2020 | Kymen Vesi Oy | 16,000 | Unnecessary collection of job applicants’ personal data |
| 2020 | Posti Group Oyj | 100,000 | Transparency violations in data handling |
| 2022 | Viking Line Oy Abp | 230,000 | Unlawful processing of employees’ health data |
| 2023 | Suomen Yritysrekisteri | 23,000 | Infringements of right to access call recordings |
| 2024 | Verkkokauppa.com Plc | 856,000 | Data protection failures in online retail |
| 2024 | Posti | 2,400,000 | Shortcomings in OmaPosti service data practices |
| 2025 | Yliopiston Apteekki | 1,100,000 | Improper use of cookies and tracking technologies |
| 2025 | S-Pankki | 1,800,000 | Security vulnerability in mobile banking app |
This list illustrates a pattern of escalating fines, particularly in sectors handling sensitive data like finance, health, and retail.
Broader Implications for Finnish Banking
With high digital banking adoption in Finland, incidents like this underscore the need for rigorous cybersecurity. Similar to global cases such as the Equifax breach, S-Pankki’s issues highlight gaps between innovation and protection.
Finnish Financial Institutions Need To Take Data Privacy Seriously
The S-Pankki fine reveals complacency in risk management, including ignoring early warnings. Institutions should invest in comprehensive testing, swift incident responses, and whistleblower channels. While fines like this are notable, they represent a small fraction of revenue for larger entities, suggesting the need for complementary measures like mandatory audits.
GDPR’s enforcement in Finland demonstrates its effectiveness in promoting accountability, though ongoing challenges persist in balancing digital growth with privacy.
The €1.8 million fine against S-Pankki marks a significant enforcement action under GDPR, emphasizing the critical need for robust security in mobile banking. As Finland’s regulators continue to hold companies accountable, this case serves as a benchmark for prioritizing data protection in the financial sector.
