Finland: Data Protection Ombudsman's Office issued a ruling with penalty of EUR 1.8 million against S-Banken over information security negligence in online banking

On 8 September 2025, the Data Protection Ombudsman's Office imposed a penalty of EUR 1.8 million against S-Banken over information security negligence in online banking. The negligence stemmed from a programming error in the S-mobil login function, implemented in April 2022, which created a vulnerability allowing login with other customers' codes for over three months until August 2022. The investigation found that S-Banken did not use sufficient safeguards, failed to adequately test the new software before use, and did not react sufficiently to customer reports of login discrepancies. The Data Protection Ombudsman considered these operations a violation of the European Union's General Data Protection Regulation requirements for secure personal data processing.