Background information
- Date of final decision: 17 December 2024
- National case
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default), Article 32 (Security of processing)
- Decision: Administrative fine, Communication order personal data breach, Reprimand
- Key words: Data security, Personal data breach, Third party access to personal data
Summary of the Decision
Origin of the case
The Finnish SA launched an investigation based on a complaint filed by a customer. A technical investigation revealed serious data security issues with the controller’s loan comparison services. When the seriousness of the data security issues became apparent in spring 2024, the company was ordered to immediately cease processing of the personal data relating to loan applicants in its electronic services.
Key Findings
Sambla Group’s loan comparison services lacked adequate restrictions to prevent third parties from accessing the data in the loan applications (art. 32 GDPR, art. 25 GDPR and art. 5(1)(f)). Due to poor data security, the content of customers’ loan applications was accessible to third parties through personal URLs intended for the customers. Anyone with access to the URL and sufficient technical expertise to exploit the security vulnerability had direct access to the data. The technical investigation revealed that the URLs had been targeted with phishing and personal data had been disclosed to third parties. The information available through the links included at least the loan applicant’s contact details, as well as information on their income, housing costs, marital status and possible children.
Decision
The Finnish SA imposed an administrative fine of EUR 950 000 on the controller. The controller was also ordered to notify its customers of the incident. The controller has announced that it has stopped using the vulnerable URLs and improved the data security of its services.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.