S-Bank fined for S-mobiili data security vulnerability
The Sanctions Board of the Office of the Data Protection Ombudsman has imposed a fine of EUR 1.8 million on S-Bank for failing to ensure data security in the online banking authentication process. Due to a software bug in the authentication service in 2022, logging into the online bank and online services using strong authentication was possible with the credentials of other customers.
The Office of the Data Protection Ombudsman investigated the breach following a notification by S-Bank in August 2022. In April 2022, the bank had introduced a new login functionality in S-Mobile. A security vulnerability had occurred in the software, which had been exploitable for more than three months from April to August.
Due to this vulnerability, some of the bank's customers fell victim to a data breach. In practice, the vulnerability affected a significant proportion of the bank's customers. The misuse of online banking credentials caused financial loss to some customers. S-Bank has announced that it has compensated customers for direct losses.
Shortcomings in safeguards and vulnerability assessment
The investigation by the Office of the Data Protection Ombudsman found that S-Bank did not have adequate safeguards in place to ensure the security of personal data. The bank had not adequately tested the new software prior to its introduction and had not identified the vulnerability before the functionality was deployed. It also failed to respond adequately to its customers communications about anomalies when logging into the online bank.
"This case demonstrates the need for organisations to invest inadequate security and testing, taking into account the risks associated with the processing of their personal data. This is especially true for banks because the misuse of bank data can cause people great harm," says Deputy Data Protection Ombudsman Annina Hautala.
"In such situations, you have to act quickly. Customers need to be able to trust that their bank and account information are safe," says Hautala.
Fine for non-compliance with data protection requirements
The Deputy Data Protection Ombudsman considers that S-Bank’s actions violated the requirements of the EU General Data Protection Regulation on the secure processing of personal data. The Sanctions Board imposed a fine of EUR 1.8 million on the bank, and the Deputy Data Protection Ombudsman issued a reprimand for breaching data protection legislation. The Sanctions Board considered the imposition of a fine for the data protection breach to be necessary in view of the need to protect the rights of individuals, the general importance of the case and the previous warning given to S-Bank by the Data Protection Ombudsman.
In May 2025, the Financial Supervisory Authority assessed S-Bank's conduct in the same set of events for other infringements and imposed a fine of EUR 7,670,000 for negligence in the management of operational risks. The Sanctions Board took into account the decision of the Financial Supervisory Authority when determining the amount of the fine, and adjusted it accordingly. The amount of the fine imposed for data protection breaches is about one third of what it would have been without the fine imposed by the Financial Supervisory Authority.
The decision is not yet final and can be appealed to the Administrative Court.
Further information:
Deputy Data Protection Ombudsman Annina Hautala, annina.hautala(at)om.fi, tel. +358 29 566 6776
Financial Supervisory Authority's press release 23 May 2025, in Finnish: S-Bank Plc receives a joint fine of EUR 7,670,000 and a public warning (finanssivalvonta.fi)
Office of the Data Protection Ombudsman's press release 15 September 2022, in Finnish: The Data Protection Ombudsman is investigating an S-Bank system failure – S-Bank has reported that it has been in contact with customers who have suffered a data breach
Updated 10 September 2025 at 5.30 p.m.
- Correction: the vulnerability affected a significant proportion of the bank's customers, i.e. all users of the S-Mobiili app, not all customers of the bank.
- Updated headnote that the software bug that allowed the login had been in the authentication service.
- Updated that the decision by the Financial Supervisory Authority concerned the same set of events.
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.