Finland's Data Protection Ombudsman has imposed an €865,000 penalty on Aktia Bank for security failures. The fine addresses a data protection violation that occurred during a technical update.
The incident happened in January 2023 when the bank made changes to its electronic identification system. For approximately one hour, some customers could access other users' highly personal information when logging into various services.
The glitch affected authentication for government services, unemployment funds, insurance companies, and healthcare providers. It did not impact online banking services directly.
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa emphasized that strong authentication must function correctly. She stated it must verify user identity and maintain data confidentiality.
Authorities found deficiencies in how Aktia planned, implemented, and tested the technical change. Pihamaa noted that organizations handling large amounts of personal data must prioritize security measures.
The breach affected approximately 350 individuals. Aktia says no misuse of information has been identified.
Following the incident, Aktia implemented new testing methods to prevent future authentication mix-ups. The bank claims this was an isolated error and maintains its security standards.
Aktia's Communications Director Mia Smeds expressed disagreement with the regulatory decision. She called the penalty disproportionate given the bank's response and the isolated nature of the incident.
Smeds acknowledged some breaches involved access to personal health information. She apologized for this serious privacy violation while noting the problem lasted less than one hour.
The bank has since enhanced quality assurance processes and staff data protection training. Aktia assures customers they can continue using services with confidence.
The decisions are not yet legally binding. Aktia confirms it will appeal to an administrative court, challenging interpretations of pre-incident security testing requirements.
This case highlights how even brief technical failures can expose sensitive customer data. Banks face increasing scrutiny over data protection as digital services expand.