Aktia Bank fined for data security shortcomings in its strong electronic authentication service
The Sanctions Board of the Office of the Data Protection Ombudsman has imposed a fine of EUR 865,000 on Aktia for failing to ensure data security in its electronic authentication service. Due to a short-term disruption, some people who had logged in to various services with Aktia's online banking credentials had access to other customers' highly personal data, as the service confused people's identities. The Office of the Data Protection Ombudsman considers that the bank demonstrated shortcomings in the design, implementation and testing of a technical change to the service.
In January 2023, Aktia's strong electronic authentication service experienced a disruption due to a technical change. During the disruption, which lasted for about an hour, some people who logged in with Aktia's online banking credentials to services requiring strong authentication were able to view other people's data. It was also possible to use the services in the name of another customer.
The data breach affected public administration services, unemployment funds, insurance companies and health care providers. The problem did not, however, affect logging in to Aktia's online banking. The disruption extended to services that contain highly private information, such as data on health and financial status.
"Strong authentication must work properly because it is designed to verify the identity of the user and safeguard the confidentiality of the data. Online banking credentials are used to log in to services where you do not want your data to be seen by others,” says Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa.
Approximately 350 people were affected by the data breach. Aktia says that it does not know of any misuse of data due to the disruption.
Security of authentication service should have been ensured by adequate change management
The Office of the Data Protection Ombudsman investigated Aktia's activities and the cause of the disruption. The investigation found that Aktia should have planned and implemented the technical change to the authentication service more carefully, and tested the service sufficiently after the change. Functionality could have been tested more extensively using conventional and commonly used methods. Since the disruption, Aktia has put in place testing procedures to ensure that authentications do not get mixed up with each other.
“Adequate measures always depend on what sector the organisation is in and what type of service it provides. The larger the volumes of personal data processed and the more serious the consequences of their compromise for people, the greater the need to invest in security and the necessary measures," Pihamaa points out.
The Sanctions Board of the Office of the Data Protection Ombudsman imposed an administrative fine on Aktia for failing to comply with the requirements of data protection legislation on the secure processing of personal data. In assessing the scale of the fine, it was taken into account that Aktia had been prepared to react quickly to the disruption and took prompt action to remedy the situation, thereby mitigating the damage.
The Deputy Data Protection Ombudsman also issued a reprimand to the bank for breaching the General Data Protection Regulation. The decisions are not yet final and can be appealed to the Administrative Court.
Further information:
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. +358 29 566 6787
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.